[interchange-cvs] interchange - heins modified 2 files
interchange-core@interchange.redhat.com
interchange-core@interchange.redhat.com
Wed Oct 17 13:42:00 2001
User: heins
Date: 2001-10-17 17:41:25 GMT
Modified: lib/Vend Tag: STABLE_4_8-branch Config.pm Interpolate.pm
Log:
* Close security hole by disabling Safe :base_io group by default.
Found by Jon. 8-)
* Do this by adding SafeTrap directive and setting to :base_io.
Revision Changes Path
No revision
No revision
2.2.2.4 +4 -2 interchange/lib/Vend/Config.pm
rev 2.2.2.4, prev_rev 2.2.2.3
Index: Config.pm
===================================================================
RCS file: /anon_cvs/repository/interchange/lib/Vend/Config.pm,v
retrieving revision 2.2.2.3
retrieving revision 2.2.2.4
diff -u -r2.2.2.3 -r2.2.2.4
--- Config.pm 2001/10/13 23:10:23 2.2.2.3
+++ Config.pm 2001/10/17 17:41:24 2.2.2.4
@@ -1,6 +1,6 @@
# Vend::Config - Configure Interchange
#
-# $Id: Config.pm,v 2.2.2.3 2001/10/13 23:10:23 mheins Exp $
+# $Id: Config.pm,v 2.2.2.4 2001/10/17 17:41:24 mheins Exp $
#
# Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
#
@@ -95,7 +95,7 @@
use Vend::Parse;
use Vend::Util;
-$VERSION = substr(q$Revision: 2.2.2.3 $, 10);
+$VERSION = substr(q$Revision: 2.2.2.4 $, 10);
my %CDname;
@@ -324,6 +324,7 @@
['PIDcheck', 'integer', '0'],
['LockoutCommand', undef, ''],
['SafeUntrap', 'array', 'ftfile sort'],
+ ['SafeTrap', 'array', ':base_io'],
['NoAbsolute', 'yesno', 'No'],
['AllowGlobal', 'boolean', ''],
['AddDirective', 'directive', ''],
@@ -2981,6 +2982,7 @@
my $code = $val;
$code =~ s'$Vend::Session->'$foo'g;
$code =~ s'$Vend::Cfg->'$bar'g;
+ $safe->trap(@{$Global::SafeTrap});
$safe->untrap(@{$Global::SafeUntrap});
$sub = $safe->reval($code);
if($@) {
2.9.2.6 +5 -2 interchange/lib/Vend/Interpolate.pm
rev 2.9.2.6, prev_rev 2.9.2.5
Index: Interpolate.pm
===================================================================
RCS file: /anon_cvs/repository/interchange/lib/Vend/Interpolate.pm,v
retrieving revision 2.9.2.5
retrieving revision 2.9.2.6
diff -u -r2.9.2.5 -r2.9.2.6
--- Interpolate.pm 2001/10/13 23:10:23 2.9.2.5
+++ Interpolate.pm 2001/10/17 17:41:24 2.9.2.6
@@ -1,6 +1,6 @@
# Vend::Interpolate - Interpret Interchange tags
#
-# $Id: Interpolate.pm,v 2.9.2.5 2001/10/13 23:10:23 mheins Exp $
+# $Id: Interpolate.pm,v 2.9.2.6 2001/10/17 17:41:24 mheins Exp $
#
# Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
#
@@ -27,7 +27,7 @@
require Exporter;
@ISA = qw(Exporter);
-$VERSION = substr(q$Revision: 2.9.2.5 $, 10);
+$VERSION = substr(q$Revision: 2.9.2.6 $, 10);
@EXPORT = qw (
@@ -159,6 +159,7 @@
use vars qw/%Filter %Ship_handler $Safe_data/;
$ready_safe = new Safe;
+$ready_safe->trap(qw/:base_io/);
$ready_safe->untrap(qw/sort ftfile/);
sub reset_calc {
@@ -173,6 +174,7 @@
$ready_safe = new Safe $pkg;
$ready_safe->share_from('MVSAFE', ['$safe']);
#::logDebug("new safe made=$ready_safe->{Root}");
+ $ready_safe->trap(@{$Global::SafeTrap});
$ready_safe->untrap(@{$Global::SafeUntrap});
no strict 'refs';
$Document = new Vend::Document;
@@ -1384,6 +1386,7 @@
RUNSAFE: {
last RUNSAFE if defined $status;
last RUNSAFE if $status = ($noop && $op);
+ $ready_safe->trap(@{$Global::SafeTrap});
$ready_safe->untrap(@{$Global::SafeUntrap});
$status = $ready_safe->reval($op)
unless ($@ or $status);