[interchange-cvs] interchange - kwalsh modified lib/Vend/Interpolate.pm

interchange-core@icdevgroup.org interchange-core@icdevgroup.org
Thu Nov 28 06:53:00 2002 

User:      kwalsh
Date:      2002-11-28 11:52:52 GMT
Modified:  lib/Vend Interpolate.pm
Log:
	* Fixed a security bug with [timed-build] where users could
	  read/write any file where the Interchange user has permission.
	  For instance:

	  Read from any file:

		[timed-build secs="0" file="/etc/passwd"]
		[/timed-build]

	  Write to any file:

		[timed-build secs="1" file="/tmp/somefile"]
		Gotcha!
		[/timed-build]

	* Also added the same fix into [log].

Revision  Changes    Path
2.134     +14 -2     interchange/lib/Vend/Interpolate.pm


rev 2.134, prev_rev 2.133
Index: Interpolate.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Interpolate.pm,v
retrieving revision 2.133
retrieving revision 2.134
diff -u -r2.133 -r2.134
--- Interpolate.pm	26 Nov 2002 06:48:05 -0000	2.133
+++ Interpolate.pm	28 Nov 2002 11:52:52 -0000	2.134
@@ -1,6 +1,6 @@
 # Vend::Interpolate - Interpret Interchange tags
 # 
-# $Id: Interpolate.pm,v 2.133 2002/11/26 06:48:05 kwalsh Exp $
+# $Id: Interpolate.pm,v 2.134 2002/11/28 11:52:52 kwalsh Exp $
 #
 # Copyright (C) 1996-2002 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -27,7 +27,7 @@
 require Exporter;
 @ISA = qw(Exporter);
 
-$VERSION = substr(q$Revision: 2.133 $, 10);
+$VERSION = substr(q$Revision: 2.134 $, 10);
 
 @EXPORT = qw (
 
@@ -2481,6 +2481,11 @@
 	if($file =~ s/^\s*>\s*//) {
 		$opt->{create} = 1;
 	}
+	if($Global::NoAbsolute and (file_name_is_absolute($file) or $file =~ m#\.\./.*\.\.#)) {
+		::logError("Can't use file '%s' with NoAbsolute set", $file);
+		::logGlobal({ level => 'auth'}, "Can't use file '%s' with NoAbsolute set", $file);
+		return '';
+	}
 	$file = Vend::Util::escape_chars($file);
 
 	$file = ">$file" if $opt->{create};
@@ -5881,6 +5886,13 @@
 	elsif ($opt->{period}) {
 		$secs = Vend::Config::time_to_seconds($opt->{period});
 	}
+
+    if($Global::NoAbsolute and (file_name_is_absolute($file) or $file =~ m#\.\./.*\.\.#)) {
+	::logError("Can't use file '%s' with NoAbsolute set", $file);
+	::logGlobal({ level => 'auth'}, "Can't use file '%s' with NoAbsolute set", $file);
+	return '';
+    }
+    $file = Vend::Util::escape_chars($file);
 
     if( ! -f $file or $secs && (stat(_))[9] < (time() - $secs) ) {
         my $out = Vend::Interpolate::interpolate_html(shift);