[interchange-cvs] interchange - heins modified lib/Vend/Page.pm

[interchange-core@interchange.redhat.com]

User:      heins
Date:      2001-10-13 20:35:21 GMT
Modified:  lib/Vend Page.pm
Log:
	* Totally disallow scripting start chars (< and [) in page names.

Revision  Changes    Path
2.3       +20 -1     interchange/lib/Vend/Page.pm


rev 2.3, prev_rev 2.2
Index: Page.pm
===================================================================
RCS file: /anon_cvs/repository/interchange/lib/Vend/Page.pm,v
retrieving revision 2.2
retrieving revision 2.3
diff -u -r2.2 -r2.3
--- Page.pm	2001/10/11 23:05:41	2.2
+++ Page.pm	2001/10/13 20:35:21	2.3
@@ -1,6 +1,6 @@
 # Vend::Page - Handle Interchange page routing
 # 
-# $Id: Page.pm,v 2.2 2001/10/11 23:05:41 mheins Exp $
+# $Id: Page.pm,v 2.3 2001/10/13 20:35:21 mheins Exp $
 #
 # Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -45,14 +45,23 @@
 
 use vars qw/$VERSION/;
 
-$VERSION = substr(q$Revision: 2.2 $, 10);
+$VERSION = substr(q$Revision: 2.3 $, 10);
 
 my $wantref = 1;
 
 sub display_special_page {
 	my($name, $subject) = @_;
 	my($page);
-	
+
+	$name =~ m/[\[<]+/g
+		and do {
+			::logGlobal(
+					"Security violation -- scripting character in page name '%s'.",
+					$name,
+				);
+			$name = 'violation';
+		};
+
 	$subject = $subject || 'unspecified error';
 	
 #::logDebug("looking for special_page=$name");
@@ -72,6 +81,16 @@
 sub display_page {
 	my($name) = @_;
 	my($page);
+
+	$name =~ m/[\[<]+/g
+		and do {
+			::logGlobal(
+					"Security violation -- scripting character in page name '%s'.",
+					$name,
+				);
+			$name = 'violation';
+			return display_special_page($name);
+		};
 
 	$name = $CGI::values{mv_nextpage} unless $name;
 #::logDebug("display_page: $name");