[interchange-cvs] interchange - kwalsh modified 3 files

interchange-core@icdevgroup.org interchange-core@icdevgroup.org
Thu Nov 28 12:13:01 2002 

User:      kwalsh
Date:      2002-11-28 17:12:22 GMT
Modified:  lib/Vend Interpolate.pm Order.pm Util.pm
Log:
	* Removed the previous Vend::Util::readin() patch and now perform
	  specific checks before the three calls that were cause for
	  concern.

Revision  Changes    Path
2.136     +8 -3      interchange/lib/Vend/Interpolate.pm


rev 2.136, prev_rev 2.135
Index: Interpolate.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Interpolate.pm,v
retrieving revision 2.135
retrieving revision 2.136
diff -u -r2.135 -r2.136
--- Interpolate.pm	28 Nov 2002 16:24:01 -0000	2.135
+++ Interpolate.pm	28 Nov 2002 17:12:22 -0000	2.136
@@ -1,6 +1,6 @@
 # Vend::Interpolate - Interpret Interchange tags
 # 
-# $Id: Interpolate.pm,v 2.135 2002/11/28 16:24:01 kwalsh Exp $
+# $Id: Interpolate.pm,v 2.136 2002/11/28 17:12:22 kwalsh Exp $
 #
 # Copyright (C) 1996-2002 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -27,7 +27,7 @@
 require Exporter;
 @ISA = qw(Exporter);
 
-$VERSION = substr(q$Revision: 2.135 $, 10);
+$VERSION = substr(q$Revision: 2.136 $, 10);
 
 @EXPORT = qw (
 
@@ -5362,7 +5362,12 @@
 #::logDebug("fly_page: selector=$selector");
 
 	unless (defined $page) {
-	    $page = readin($selector);
+		if($Global::NoAbsolute and (file_name_is_absolute($selector) or $selector =~ m#\.\./.*\.\.#)) {
+			::logError("Can't use file '%s' with NoAbsolute set", $selector);
+			::logGlobal({ level => 'auth'}, "Can't use file '%s' with NoAbsolute set", $selector);
+			return '';
+		}
+		$page = readin($selector);
 		if (defined $page) {
 			vars_and_comments(\$page);
 		} else {



2.41      +15 -4     interchange/lib/Vend/Order.pm


rev 2.41, prev_rev 2.40
Index: Order.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Order.pm,v
retrieving revision 2.40
retrieving revision 2.41
diff -u -r2.40 -r2.41
--- Order.pm	28 Nov 2002 16:24:01 -0000	2.40
+++ Order.pm	28 Nov 2002 17:12:22 -0000	2.41
@@ -1,6 +1,6 @@
 # Vend::Order - Interchange order routing routines
 #
-# $Id: Order.pm,v 2.40 2002/11/28 16:24:01 kwalsh Exp $
+# $Id: Order.pm,v 2.41 2002/11/28 17:12:22 kwalsh Exp $
 #
 # Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -28,7 +28,7 @@
 package Vend::Order;
 require Exporter;
 
-$VERSION = substr(q$Revision: 2.40 $, 10);
+$VERSION = substr(q$Revision: 2.41 $, 10);
 
 @ISA = qw(Exporter);
 
@@ -764,8 +764,14 @@
 	my($body, $ok);
 	my($subject);
 # LEGACY
-	$body = readin($::Values->{mv_order_report})
-		if $::Values->{mv_order_report};
+	if ($::Values->{mv_order_report}) {
+		if($Global::NoAbsolute and (file_name_is_absolute($::Values->{mv_order_report}) or $::Values->{mv_order_report} =~ m#\.\./.*\.\.#)) {
+			::logError("Can't use file '%s' with NoAbsolute set", $::Values->{mv_order_report});
+			::logGlobal({ level => 'auth'}, "Can't use file '%s' with NoAbsolute set", $::Values->{mv_order_report});
+			return undef;
+		}
+		$body = readin($::Values->{mv_order_report})
+	}
 # END LEGACY
 	$body = readfile($Vend::Cfg->{OrderReport}, $Global::NoAbsolute)
 		if ! $body;
@@ -780,6 +786,11 @@
 				$Vend::Cfg->{OrderReport},
 				$::Values->{mv_order_report},
 			);
+		if($Global::NoAbsolute and (file_name_is_absolute($Vend::Cfg->{OrderReport}) or $Vend::Cfg->{OrderReport} =~ m#\.\./.*\.\.#)) {
+			::logError("Can't use file '%s' with NoAbsolute set", $Vend::Cfg->{OrderReport});
+			::logGlobal({ level => 'auth'}, "Can't use file '%s' with NoAbsolute set", $Vend::Cfg->{OrderReport});
+			return undef;
+		}
 		$body = readin($Vend::Cfg->{OrderReport});
 		return undef if ! $body;
 	}



2.42      +5 -8      interchange/lib/Vend/Util.pm


rev 2.42, prev_rev 2.41
Index: Util.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Util.pm,v
retrieving revision 2.41
retrieving revision 2.42
diff -u -r2.41 -r2.42
--- Util.pm	28 Nov 2002 16:24:01 -0000	2.41
+++ Util.pm	28 Nov 2002 17:12:22 -0000	2.42
@@ -1,6 +1,6 @@
 # Vend::Util - Interchange utility functions
 #
-# $Id: Util.pm,v 2.41 2002/11/28 16:24:01 kwalsh Exp $
+# $Id: Util.pm,v 2.42 2002/11/28 17:12:22 kwalsh Exp $
 # 
 # Copyright (C) 1996-2002 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -83,7 +83,7 @@
 use Safe;
 use subs qw(logError logGlobal);
 use vars qw($VERSION @EXPORT @EXPORT_OK);
-$VERSION = substr(q$Revision: 2.41 $, 10);
+$VERSION = substr(q$Revision: 2.42 $, 10);
 
 BEGIN {
 	eval {
@@ -1019,13 +1019,10 @@
 		if defined $Global::Variable->{MV_PAGE};
 	$Global::Variable->{MV_PAGE} = $file;
 
+	$file =~ s#^\s+##;
+	$file =~ s#\s+$##;
 	$file =~ s#\.html?$##;
-	$file =~ s/^\s+//;
-	if($Global::NoAbsolute and $file =~ m:^/:) {
-		::logError("Cannot specify full path '%s' while NoAbsolute is in use.", $file);
-		$file = find_special_page('violation');
-	}
-	elsif($file =~ m{\.\.} and $file =~ /\.\..*\.\./) {
+	if($file =~ m{\.\.} and $file =~ /\.\..*\.\./) {
 		::logError( "Too many .. in file path '%s' for security.", $file );
 		$file = find_special_page('violation');
 	}