[interchange-cvs] interchange - kwalsh modified 3 files

interchange-core@icdevgroup.org interchange-core@icdevgroup.org
Thu Nov 28 11:25:01 2002 

User:      kwalsh
Date:      2002-11-28 16:24:01 GMT
Modified:  lib/Vend Order.pm Util.pm Interpolate.pm
Log:
	* Various patches to plug NoAbsolute-related security bugs when
	  reading files.

	* If readfile()'s second parameter can be safely removed then
	  this can be done in a later commit;  I've left it alone for now.

Revision  Changes    Path
2.40      +4 -4      interchange/lib/Vend/Order.pm


rev 2.40, prev_rev 2.39
Index: Order.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Order.pm,v
retrieving revision 2.39
retrieving revision 2.40
diff -u -r2.39 -r2.40
--- Order.pm	21 Nov 2002 22:23:51 -0000	2.39
+++ Order.pm	28 Nov 2002 16:24:01 -0000	2.40
@@ -1,6 +1,6 @@
 # Vend::Order - Interchange order routing routines
 #
-# $Id: Order.pm,v 2.39 2002/11/21 22:23:51 jon Exp $
+# $Id: Order.pm,v 2.40 2002/11/28 16:24:01 kwalsh Exp $
 #
 # Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -28,7 +28,7 @@
 package Vend::Order;
 require Exporter;
 
-$VERSION = substr(q$Revision: 2.39 $, 10);
+$VERSION = substr(q$Revision: 2.40 $, 10);
 
 @ISA = qw(Exporter);
 
@@ -767,7 +767,7 @@
 	$body = readin($::Values->{mv_order_report})
 		if $::Values->{mv_order_report};
 # END LEGACY
-	$body = readfile($Vend::Cfg->{OrderReport})
+	$body = readfile($Vend::Cfg->{OrderReport}, $Global::NoAbsolute)
 		if ! $body;
 	unless (defined $body) {
 		::logError(
@@ -1610,7 +1610,7 @@
 		}
 		else {
 			$pagefile = $route->{'report'} || $main->{'report'};
-			$page = readfile($pagefile);
+			$page = readfile($pagefile, $Global::NoAbsolute);
 		}
 		die errmsg(
 			"No order report %s or %s found.",



2.41      +8 -3      interchange/lib/Vend/Util.pm


rev 2.41, prev_rev 2.40
Index: Util.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Util.pm,v
retrieving revision 2.40
retrieving revision 2.41
diff -u -r2.40 -r2.41
--- Util.pm	9 Nov 2002 06:03:36 -0000	2.40
+++ Util.pm	28 Nov 2002 16:24:01 -0000	2.41
@@ -1,6 +1,6 @@
 # Vend::Util - Interchange utility functions
 #
-# $Id: Util.pm,v 2.40 2002/11/09 06:03:36 mheins Exp $
+# $Id: Util.pm,v 2.41 2002/11/28 16:24:01 kwalsh Exp $
 # 
 # Copyright (C) 1996-2002 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -83,7 +83,7 @@
 use Safe;
 use subs qw(logError logGlobal);
 use vars qw($VERSION @EXPORT @EXPORT_OK);
-$VERSION = substr(q$Revision: 2.40 $, 10);
+$VERSION = substr(q$Revision: 2.41 $, 10);
 
 BEGIN {
 	eval {
@@ -1020,7 +1020,12 @@
 	$Global::Variable->{MV_PAGE} = $file;
 
 	$file =~ s#\.html?$##;
-	if($file =~ m{\.\.} and $file =~ /\.\..*\.\./) {
+	$file =~ s/^\s+//;
+	if($Global::NoAbsolute and $file =~ m:^/:) {
+		::logError("Cannot specify full path '%s' while NoAbsolute is in use.", $file);
+		$file = find_special_page('violation');
+	}
+	elsif($file =~ m{\.\.} and $file =~ /\.\..*\.\./) {
 		::logError( "Too many .. in file path '%s' for security.", $file );
 		$file = find_special_page('violation');
 	}



2.135     +6 -5      interchange/lib/Vend/Interpolate.pm


rev 2.135, prev_rev 2.134
Index: Interpolate.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Interpolate.pm,v
retrieving revision 2.134
retrieving revision 2.135
diff -u -r2.134 -r2.135
--- Interpolate.pm	28 Nov 2002 11:52:52 -0000	2.134
+++ Interpolate.pm	28 Nov 2002 16:24:01 -0000	2.135
@@ -1,6 +1,6 @@
 # Vend::Interpolate - Interpret Interchange tags
 # 
-# $Id: Interpolate.pm,v 2.134 2002/11/28 11:52:52 kwalsh Exp $
+# $Id: Interpolate.pm,v 2.135 2002/11/28 16:24:01 kwalsh Exp $
 #
 # Copyright (C) 1996-2002 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -27,7 +27,7 @@
 require Exporter;
 @ISA = qw(Exporter);
 
-$VERSION = substr(q$Revision: 2.134 $, 10);
+$VERSION = substr(q$Revision: 2.135 $, 10);
 
 @EXPORT = qw (
 
@@ -2481,12 +2481,13 @@
 	if($file =~ s/^\s*>\s*//) {
 		$opt->{create} = 1;
 	}
+
+	$file = Vend::Util::escape_chars($file);
 	if($Global::NoAbsolute and (file_name_is_absolute($file) or $file =~ m#\.\./.*\.\.#)) {
 		::logError("Can't use file '%s' with NoAbsolute set", $file);
 		::logGlobal({ level => 'auth'}, "Can't use file '%s' with NoAbsolute set", $file);
 		return '';
 	}
-	$file = Vend::Util::escape_chars($file);
 
 	$file = ">$file" if $opt->{create};
 
@@ -5213,7 +5214,7 @@
 	}
 	elsif ($opt->{file}) {
 #::logDebug("loop resolve file");
-		$list = Vend::Util::readfile($opt->{file});
+		$list = Vend::Util::readfile($opt->{file}, $Global::NoAbsolute);
 		$opt->{lr} = 1 unless
 						defined $opt->{lr}
 						or $opt->{quoted};
@@ -5887,12 +5888,12 @@
 		$secs = Vend::Config::time_to_seconds($opt->{period});
 	}
 
+    $file = Vend::Util::escape_chars($file);
     if($Global::NoAbsolute and (file_name_is_absolute($file) or $file =~ m#\.\./.*\.\.#)) {
 	::logError("Can't use file '%s' with NoAbsolute set", $file);
 	::logGlobal({ level => 'auth'}, "Can't use file '%s' with NoAbsolute set", $file);
 	return '';
     }
-    $file = Vend::Util::escape_chars($file);
 
     if( ! -f $file or $secs && (stat(_))[9] < (time() - $secs) ) {
         my $out = Vend::Interpolate::interpolate_html(shift);