Block expensive svnweb operations without a cookie

If an expensive request comes in from anyone without a cookie attached,
redirect to a page where the cookie is set using JavaScript, then
redirect back. This should block robots from these paths, most of which
do not support JavaScript. The collateral damage is that a JavaScript
browser is now required for users to access those paths.  The contents
of the cookie is not currently checked, merely that it is set.

1 files changed, 27 insertions, 0 deletions

diff --git a/modules/viewvc/files/setcookieredirect.html b/modules/viewvc/files/setcookieredirect.html
new file mode 100644
index 00000000..d1b7ada4
--- /dev/null
+++ b/modules/viewvc/files/setcookieredirect.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <title>User check</title>
+        <script type="text/javascript" defer>
+            const randomValue = Math.random().toString(36).substring(2);
+            document.cookie = `session=${randomValue}; path=/; expires=${new Date(Date.now() + 24*3600*1000).toUTCString()}`;
+            const params = new Proxy(new URLSearchParams(window.location.search), {
+              get: (searchParams, prop) => searchParams.get(prop),
+            });
+            let url = params.to;
+            // Sanitize redirect path to avoid malicious arbitrary redirects
+            if (/^\/[-_a-zA-Z0-9~.?&=/]*$/.test(url)) {
+                window.location.href = url;
+            } else {
+                window.onload = function() {
+                    document.getElementById('error').innerHTML = 'Error! Bad redirect location!';
+                }
+            }
+        </script>
+    </head>
+    <body>
+        Redirecting back...
+        <br>
+        <p id="error"><!-- space for error message --></p>
+    </body>
+</html>