[interchange-cvs] interchange - kwalsh modified lib/Vend/Interpolate.pm
interchange-core@icdevgroup.org
interchange-core@icdevgroup.org
Thu Nov 28 06:53:00 2002
User: kwalsh
Date: 2002-11-28 11:52:52 GMT
Modified: lib/Vend Interpolate.pm
Log:
* Fixed a security bug with [timed-build] where users could
read/write any file where the Interchange user has permission.
For instance:
Read from any file:
[timed-build secs="0" file="/etc/passwd"]
[/timed-build]
Write to any file:
[timed-build secs="1" file="/tmp/somefile"]
Gotcha!
[/timed-build]
* Also added the same fix into [log].
Revision Changes Path
2.134 +14 -2 interchange/lib/Vend/Interpolate.pm
rev 2.134, prev_rev 2.133
Index: Interpolate.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Interpolate.pm,v
retrieving revision 2.133
retrieving revision 2.134
diff -u -r2.133 -r2.134
--- Interpolate.pm 26 Nov 2002 06:48:05 -0000 2.133
+++ Interpolate.pm 28 Nov 2002 11:52:52 -0000 2.134
@@ -1,6 +1,6 @@
# Vend::Interpolate - Interpret Interchange tags
#
-# $Id: Interpolate.pm,v 2.133 2002/11/26 06:48:05 kwalsh Exp $
+# $Id: Interpolate.pm,v 2.134 2002/11/28 11:52:52 kwalsh Exp $
#
# Copyright (C) 1996-2002 Red Hat, Inc. <interchange@redhat.com>
#
@@ -27,7 +27,7 @@
require Exporter;
@ISA = qw(Exporter);
-$VERSION = substr(q$Revision: 2.133 $, 10);
+$VERSION = substr(q$Revision: 2.134 $, 10);
@EXPORT = qw (
@@ -2481,6 +2481,11 @@
if($file =~ s/^\s*>\s*//) {
$opt->{create} = 1;
}
+ if($Global::NoAbsolute and (file_name_is_absolute($file) or $file =~ m#\.\./.*\.\.#)) {
+ ::logError("Can't use file '%s' with NoAbsolute set", $file);
+ ::logGlobal({ level => 'auth'}, "Can't use file '%s' with NoAbsolute set", $file);
+ return '';
+ }
$file = Vend::Util::escape_chars($file);
$file = ">$file" if $opt->{create};
@@ -5881,6 +5886,13 @@
elsif ($opt->{period}) {
$secs = Vend::Config::time_to_seconds($opt->{period});
}
+
+ if($Global::NoAbsolute and (file_name_is_absolute($file) or $file =~ m#\.\./.*\.\.#)) {
+ ::logError("Can't use file '%s' with NoAbsolute set", $file);
+ ::logGlobal({ level => 'auth'}, "Can't use file '%s' with NoAbsolute set", $file);
+ return '';
+ }
+ $file = Vend::Util::escape_chars($file);
if( ! -f $file or $secs && (stat(_))[9] < (time() - $secs) ) {
my $out = Vend::Interpolate::interpolate_html(shift);