[interchange-cvs] interchange - heins modified 3 files

interchange-cvs at icdevgroup.org interchange-cvs at icdevgroup.org
Fri Jan 30 12:36:53 EST 2004


User:      heins
Date:      2004-01-30 17:36:53 GMT
Modified:  lib/Vend Tag: STABLE_5_0-branch Error.pm Dispatch.pm
Modified:  code/SystemTag Tag: STABLE_5_0-branch dump.coretag
Log:
* Merge security fix from devel. (@Global::HideCGI)

Revision  Changes    Path
No                   revision



No                   revision



2.7.2.1   +27 -14    interchange/lib/Vend/Error.pm


rev 2.7.2.1, prev_rev 2.7
Index: Error.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Error.pm,v
retrieving revision 2.7
retrieving revision 2.7.2.1
diff -u -r2.7 -r2.7.2.1
--- Error.pm	18 Jun 2003 17:34:44 -0000	2.7
+++ Error.pm	30 Jan 2004 17:36:52 -0000	2.7.2.1
@@ -1,6 +1,6 @@
 # Vend::Error - Handle Interchange error pages and messages
 # 
-# $Id: Error.pm,v 2.7 2003/06/18 17:34:44 jon Exp $
+# $Id: Error.pm,v 2.7.2.1 2004/01/30 17:36:52 mheins Exp $
 #
 # Copyright (C) 2002-2003 Interchange Development Group
 # Copyright (C) 1996-2002 Red Hat, Inc.
@@ -38,7 +38,7 @@
 
 use vars qw/$VERSION/;
 
-$VERSION = substr(q$Revision: 2.7 $, 10);
+$VERSION = substr(q$Revision: 2.7.2.1 $, 10);
 
 sub get_locale_message {
 	my ($code, $message, @arg) = @_;
@@ -111,6 +111,7 @@
 
 sub full_dump {
 	my $portion = shift;
+	my $opt = shift || {};
 	my $out = '';
 	if($portion) {
 		$out .= "###### SESSION ($portion) #####\n";
@@ -122,20 +123,32 @@
 
 	$out = minidump();
 	local($Data::Dumper::Indent) = 2;
-	$out .= "###### ENVIRONMENT     #####\n";
-	if(my $h = ::http()) {
-		$out .= uneval($h->{env});
+	unless ($opt->{no_env}) {
+		$out .= "###### ENVIRONMENT     #####\n";
+		if(my $h = ::http()) {
+			$out .= uneval($h->{env});
+		}
+		else {
+			$out .= uneval(\%ENV);
+		}
+		$out .= "\n###### END ENVIRONMENT #####\n";
 	}
-	else {
-		$out .= uneval(\%ENV);
+	unless($opt->{no_cgi}) {
+		my %cgi = %CGI::values;
+		unless($opt->{show_all}) {
+			for(@Global::HideCGI) {
+				delete $cgi{$_};
+			}
+		}
+		$out .= "###### CGI VALUES      #####\n";
+		$out .= uneval(\%cgi);
+		$out .= "\n###### END CGI VALUES  #####\n";
+	}
+	unless($opt->{no_session}) {
+		$out .= "###### SESSION         #####\n";
+		$out .= uneval($Vend::Session);
+		$out .= "\n###### END SESSION    #####\n";
 	}
-	$out .= "\n###### END ENVIRONMENT #####\n";
-	$out .= "###### CGI VALUES      #####\n";
-	$out .= uneval(\%CGI::values);
-	$out .= "\n###### END CGI VALUES  #####\n";
-	$out .= "###### SESSION         #####\n";
-	$out .= uneval($Vend::Session);
-	$out .= "\n###### END SESSION    #####\n";
 	$out =~ s/\0/\\0/g;
 	return $out;
 }



1.28.2.1  +12 -2     interchange/lib/Vend/Dispatch.pm


rev 1.28.2.1, prev_rev 1.28
Index: Dispatch.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Dispatch.pm,v
retrieving revision 1.28
retrieving revision 1.28.2.1
diff -u -r1.28 -r1.28.2.1
--- Dispatch.pm	6 Dec 2003 22:52:36 -0000	1.28
+++ Dispatch.pm	30 Jan 2004 17:36:52 -0000	1.28.2.1
@@ -1,6 +1,6 @@
 # Vend::Dispatch - Handle Interchange page requests
 #
-# $Id: Dispatch.pm,v 1.28 2003/12/06 22:52:36 mheins Exp $
+# $Id: Dispatch.pm,v 1.28.2.1 2004/01/30 17:36:52 mheins Exp $
 #
 # Copyright (C) 2002-2003 Interchange Development Group
 # Copyright (C) 2002 Mike Heins <mike at perusion.net>
@@ -26,7 +26,7 @@
 package Vend::Dispatch;
 
 use vars qw($VERSION);
-$VERSION = substr(q$Revision: 1.28 $, 10);
+$VERSION = substr(q$Revision: 1.28.2.1 $, 10);
 
 use POSIX qw(strftime);
 use Vend::Util;
@@ -152,6 +152,16 @@
 			if defined $extra;
 	}
 }
+
+## This is the set of variables we don't want to dump or save in
+## sessions for security reasons.
+ at Global::HideCGI = qw(
+						mv_password
+						mv_verify
+						mv_password_old
+						mv_credit_card_number
+						mv_credit_card_cvv2
+					);
 
 # This is the set of CGI-passed variables to ignore, in other words
 # never set in the user session.  If set in the mv_check pass, though,



No                   revision



No                   revision



1.1.4.1   +1 -0      interchange/code/SystemTag/dump.coretag


rev 1.1.4.1, prev_rev 1.1
Index: dump.coretag
===================================================================
RCS file: /var/cvs/interchange/code/SystemTag/dump.coretag,v
retrieving revision 1.1
retrieving revision 1.1.4.1
diff -u -r1.1 -r1.1.4.1
--- dump.coretag	29 Jan 2002 05:52:38 -0000	1.1
+++ dump.coretag	30 Jan 2004 17:36:53 -0000	1.1.4.1
@@ -1,3 +1,4 @@
 UserTag dump                Order        key
+UserTag dump                addAttr
 UserTag dump                PosNumber    1
 UserTag dump                MapRoutine   ::full_dump








More information about the interchange-cvs mailing list