[Interchange-announce] Re: Security hole in IC admin

Jon Jensen jon@akopia.com
Mon, 16 Apr 2001 18:26:03 -0500 (CDT)


Oops. I made a mistake in one of the patches. Using the localization
function errmsg() in do_view works in 4.7.x, but it 4.6.x it generates an
error. (The function was not imported into the current package namespace.)
This error still keeps the file from being displayed, but it's not ideal.

A better patch follows. Sorry about that.

Jon


Index: do_view.html
===================================================================
RCS file: /anon_cvs/repository/interchange/dist/lib/UI/pages/admin/do_view.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- do_view.html        2000/08/05 13:55:37     1.2
+++ do_view.html        2001/04/14 22:28:29     1.3
@@ -1,6 +1,10 @@
 [seti total_junk][perl]
        delete $Scratch->{violation};
        $_ = delete $Session->{arg};
+       $Scratch->{violation} = 'Must be logged in.'
+               unless $Session->{logged_in};
+       $Scratch->{violation} = 'Must be logged in as admin.'
+               unless $Session->{admin};
        $Scratch->{violation} = 'No .. allowed in file name.'
                if m{\.\./};
        $Scratch->{violation} = 'No | allowed.'