[interchange-cvs] interchange - kwalsh modified 3 files
interchange-core@icdevgroup.org
interchange-core@icdevgroup.org
Thu Nov 28 12:13:01 2002
User: kwalsh
Date: 2002-11-28 17:12:22 GMT
Modified: lib/Vend Interpolate.pm Order.pm Util.pm
Log:
* Removed the previous Vend::Util::readin() patch and now perform
specific checks before the three calls that were cause for
concern.
Revision Changes Path
2.136 +8 -3 interchange/lib/Vend/Interpolate.pm
rev 2.136, prev_rev 2.135
Index: Interpolate.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Interpolate.pm,v
retrieving revision 2.135
retrieving revision 2.136
diff -u -r2.135 -r2.136
--- Interpolate.pm 28 Nov 2002 16:24:01 -0000 2.135
+++ Interpolate.pm 28 Nov 2002 17:12:22 -0000 2.136
@@ -1,6 +1,6 @@
# Vend::Interpolate - Interpret Interchange tags
#
-# $Id: Interpolate.pm,v 2.135 2002/11/28 16:24:01 kwalsh Exp $
+# $Id: Interpolate.pm,v 2.136 2002/11/28 17:12:22 kwalsh Exp $
#
# Copyright (C) 1996-2002 Red Hat, Inc. <interchange@redhat.com>
#
@@ -27,7 +27,7 @@
require Exporter;
@ISA = qw(Exporter);
-$VERSION = substr(q$Revision: 2.135 $, 10);
+$VERSION = substr(q$Revision: 2.136 $, 10);
@EXPORT = qw (
@@ -5362,7 +5362,12 @@
#::logDebug("fly_page: selector=$selector");
unless (defined $page) {
- $page = readin($selector);
+ if($Global::NoAbsolute and (file_name_is_absolute($selector) or $selector =~ m#\.\./.*\.\.#)) {
+ ::logError("Can't use file '%s' with NoAbsolute set", $selector);
+ ::logGlobal({ level => 'auth'}, "Can't use file '%s' with NoAbsolute set", $selector);
+ return '';
+ }
+ $page = readin($selector);
if (defined $page) {
vars_and_comments(\$page);
} else {
2.41 +15 -4 interchange/lib/Vend/Order.pm
rev 2.41, prev_rev 2.40
Index: Order.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Order.pm,v
retrieving revision 2.40
retrieving revision 2.41
diff -u -r2.40 -r2.41
--- Order.pm 28 Nov 2002 16:24:01 -0000 2.40
+++ Order.pm 28 Nov 2002 17:12:22 -0000 2.41
@@ -1,6 +1,6 @@
# Vend::Order - Interchange order routing routines
#
-# $Id: Order.pm,v 2.40 2002/11/28 16:24:01 kwalsh Exp $
+# $Id: Order.pm,v 2.41 2002/11/28 17:12:22 kwalsh Exp $
#
# Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
#
@@ -28,7 +28,7 @@
package Vend::Order;
require Exporter;
-$VERSION = substr(q$Revision: 2.40 $, 10);
+$VERSION = substr(q$Revision: 2.41 $, 10);
@ISA = qw(Exporter);
@@ -764,8 +764,14 @@
my($body, $ok);
my($subject);
# LEGACY
- $body = readin($::Values->{mv_order_report})
- if $::Values->{mv_order_report};
+ if ($::Values->{mv_order_report}) {
+ if($Global::NoAbsolute and (file_name_is_absolute($::Values->{mv_order_report}) or $::Values->{mv_order_report} =~ m#\.\./.*\.\.#)) {
+ ::logError("Can't use file '%s' with NoAbsolute set", $::Values->{mv_order_report});
+ ::logGlobal({ level => 'auth'}, "Can't use file '%s' with NoAbsolute set", $::Values->{mv_order_report});
+ return undef;
+ }
+ $body = readin($::Values->{mv_order_report})
+ }
# END LEGACY
$body = readfile($Vend::Cfg->{OrderReport}, $Global::NoAbsolute)
if ! $body;
@@ -780,6 +786,11 @@
$Vend::Cfg->{OrderReport},
$::Values->{mv_order_report},
);
+ if($Global::NoAbsolute and (file_name_is_absolute($Vend::Cfg->{OrderReport}) or $Vend::Cfg->{OrderReport} =~ m#\.\./.*\.\.#)) {
+ ::logError("Can't use file '%s' with NoAbsolute set", $Vend::Cfg->{OrderReport});
+ ::logGlobal({ level => 'auth'}, "Can't use file '%s' with NoAbsolute set", $Vend::Cfg->{OrderReport});
+ return undef;
+ }
$body = readin($Vend::Cfg->{OrderReport});
return undef if ! $body;
}
2.42 +5 -8 interchange/lib/Vend/Util.pm
rev 2.42, prev_rev 2.41
Index: Util.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Util.pm,v
retrieving revision 2.41
retrieving revision 2.42
diff -u -r2.41 -r2.42
--- Util.pm 28 Nov 2002 16:24:01 -0000 2.41
+++ Util.pm 28 Nov 2002 17:12:22 -0000 2.42
@@ -1,6 +1,6 @@
# Vend::Util - Interchange utility functions
#
-# $Id: Util.pm,v 2.41 2002/11/28 16:24:01 kwalsh Exp $
+# $Id: Util.pm,v 2.42 2002/11/28 17:12:22 kwalsh Exp $
#
# Copyright (C) 1996-2002 Red Hat, Inc. <interchange@redhat.com>
#
@@ -83,7 +83,7 @@
use Safe;
use subs qw(logError logGlobal);
use vars qw($VERSION @EXPORT @EXPORT_OK);
-$VERSION = substr(q$Revision: 2.41 $, 10);
+$VERSION = substr(q$Revision: 2.42 $, 10);
BEGIN {
eval {
@@ -1019,13 +1019,10 @@
if defined $Global::Variable->{MV_PAGE};
$Global::Variable->{MV_PAGE} = $file;
+ $file =~ s#^\s+##;
+ $file =~ s#\s+$##;
$file =~ s#\.html?$##;
- $file =~ s/^\s+//;
- if($Global::NoAbsolute and $file =~ m:^/:) {
- ::logError("Cannot specify full path '%s' while NoAbsolute is in use.", $file);
- $file = find_special_page('violation');
- }
- elsif($file =~ m{\.\.} and $file =~ /\.\..*\.\./) {
+ if($file =~ m{\.\.} and $file =~ /\.\..*\.\./) {
::logError( "Too many .. in file path '%s' for security.", $file );
$file = find_special_page('violation');
}