[interchange-cvs] interchange - heins modified scripts/interchange.PL
interchange-core@interchange.redhat.com
interchange-core@interchange.redhat.com
Thu Oct 18 01:40:00 2001
User: heins
Date: 2001-10-18 05:39:37 GMT
Modified: scripts interchange.PL
Log:
* Final bits of the security update designed to decrease vulnerability
to cross-site scripting exploits.
Revision Changes Path
2.11 +36 -5 interchange/scripts/interchange.PL
rev 2.11, prev_rev 2.10
Index: interchange.PL
===================================================================
RCS file: /anon_cvs/repository/interchange/scripts/interchange.PL,v
retrieving revision 2.10
retrieving revision 2.11
diff -u -r2.10 -r2.11
--- interchange.PL 2001/10/06 07:03:37 2.10
+++ interchange.PL 2001/10/18 05:39:36 2.11
@@ -50,7 +50,7 @@
#
# Interchange version 4.9.0
#
-# $Id: interchange.PL,v 2.10 2001/10/06 07:03:37 mheins Exp $
+# $Id: interchange.PL,v 2.11 2001/10/18 05:39:36 mheins Exp $
#
# Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
#
@@ -971,6 +971,7 @@
}
return;
}
+
# Parse the mv_click and mv_check special variables
sub parse_click {
my ($ref, $click, $extra) = @_;
@@ -1063,14 +1064,44 @@
/ }
) = encrypt_standard_cc(\%CGI::values);
}
+
+ my $restrict;
+ if($restrict = $Vend::Session->{restrict_html} and ! ref $restrict) {
+ $restrict = [ map { lc $_ } split /\s+/, $restrict ];
+ $Vend::Session->{restrict_html} = $restrict;
+ }
- my ($key, $value);
- while (($key, $value) = each %CGI::values) {
+ while (my ($key, $value) = each %CGI::values) {
+ # values explicly ignored in configuration
next if defined $Ignore{$key};
- next if defined $Vend::Cfg->{FormIgnore}->{$key};
- next if ($key =~ m/^quantity\d+$/);
+ next if defined $Vend::Cfg->{FormIgnore}{$key};
+
+#LEGACY
# We add any checkbox ordered items, but don't update --
# we don't want to order them twice
+ next if ($key =~ m/^quantity\d+$/);
+#END LEGACY
+
+ # Admins should know what they are doing
+ if($Vend::admin) {
+ $::Values->{$key} = $value;
+ next;
+ }
+ elsif ($restrict and $value =~ /</) {
+ # Allow designer to allow only certain HTML tags from trusted users
+ # Will go away when current session ends...
+ # [ script start character handled in [value ...] ITL tag
+ $value = Vend::Interpolate::filter_value(
+ 'restrict_html',
+ $value,
+ $key,
+ @$restrict,
+ );
+ next;
+ }
+ $value =~ tr/<[//d;
+ $value =~ s/<//ig;
+ $value =~ s/[//g;
$::Values->{$key} = $value;
}
}