[interchange-cvs] interchange - heins modified scripts/interchange.PL

interchange-core@interchange.redhat.com interchange-core@interchange.redhat.com
Thu Oct 18 01:40:00 2001 

User:      heins
Date:      2001-10-18 05:39:37 GMT
Modified:  scripts  interchange.PL
Log:
	* Final bits of the security update designed to decrease vulnerability
	  to cross-site scripting exploits.

Revision  Changes    Path
2.11      +36 -5     interchange/scripts/interchange.PL


rev 2.11, prev_rev 2.10
Index: interchange.PL
===================================================================
RCS file: /anon_cvs/repository/interchange/scripts/interchange.PL,v
retrieving revision 2.10
retrieving revision 2.11
diff -u -r2.10 -r2.11
--- interchange.PL	2001/10/06 07:03:37	2.10
+++ interchange.PL	2001/10/18 05:39:36	2.11
@@ -50,7 +50,7 @@
 #
 # Interchange version 4.9.0
 #
-# $Id: interchange.PL,v 2.10 2001/10/06 07:03:37 mheins Exp $
+# $Id: interchange.PL,v 2.11 2001/10/18 05:39:36 mheins Exp $
 #
 # Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -971,6 +971,7 @@
 	}
 	return;
 }
+
 # Parse the mv_click and mv_check special variables
 sub parse_click {
 	my ($ref, $click, $extra) = @_;
@@ -1063,14 +1064,44 @@
 				/ }
 		) = encrypt_standard_cc(\%CGI::values);
 	}	
+
+	my $restrict;
+	if($restrict = $Vend::Session->{restrict_html} and ! ref $restrict) {
+		$restrict = [ map { lc $_ } split /\s+/, $restrict ];
+		$Vend::Session->{restrict_html} = $restrict;
+	}
 
-	my ($key, $value);
-    while (($key, $value) = each %CGI::values) {
+    while (my ($key, $value) = each %CGI::values) {
+		# values explicly ignored in configuration
         next if defined $Ignore{$key};
-        next if defined $Vend::Cfg->{FormIgnore}->{$key};
-        next if ($key =~ m/^quantity\d+$/);
+        next if defined $Vend::Cfg->{FormIgnore}{$key};
+
+#LEGACY
 		# We add any checkbox ordered items, but don't update -- 
 		# we don't want to order them twice
+        next if ($key =~ m/^quantity\d+$/);
+#END LEGACY
+
+		# Admins should know what they are doing
+		if($Vend::admin) {
+			$::Values->{$key} = $value;
+			next;
+		}
+		elsif ($restrict and $value =~ /</) {
+			# Allow designer to allow only certain HTML tags from trusted users
+			# Will go away when current session ends...
+			# [ script start character handled in [value ...] ITL tag
+			$value = Vend::Interpolate::filter_value(
+						'restrict_html',
+						$value,
+						$key,
+						@$restrict,
+					);
+			next;
+		}
+		$value =~ tr/<[//d;
+		$value =~ s/&lt;//ig;
+		$value =~ s/&#91;//g;
         $::Values->{$key} = $value;
     }
 }