[interchange-cvs] [SCM] Interchange branch, master, updated. 08a1fdeb0cf66e2499844c96ab9e826857174fe3
Jon Jensen
interchange-cvs at icdevgroup.org
Tue Sep 8 05:08:58 UTC 2009
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Interchange".
The branch, master has been updated
via 08a1fdeb0cf66e2499844c96ab9e826857174fe3 (commit)
via 7fcf35230ecfa91929165bf0129847752272576a (commit)
via 239f9a3b19506dd2da369c3c8c047acf0f3b2d7f (commit)
via 74803e29a89d02d353739b9ee4f74c9db3a88938 (commit)
from fd8bca3ef93035466208fabe05618f6e18999954 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 08a1fdeb0cf66e2499844c96ab9e826857174fe3
Author: Jon Jensen <jon at endpoint.com>
Date: Mon Sep 7 23:07:31 2009 -0600
parse_dir_array: Validate paths for NoAbsolute etc.
commit 7fcf35230ecfa91929165bf0129847752272576a
Author: Jon Jensen <jon at endpoint.com>
Date: Mon Sep 7 23:05:24 2009 -0600
parse_relative_dir: Use standard absolute_or_relative() check
Use standard routines to check for absolute or subdirectory-escaping
paths instead of duplicate logic here.
Remove comment that's somewhat misleading since relative paths are
absolutized all over in other routines too.
commit 239f9a3b19506dd2da369c3c8c047acf0f3b2d7f
Author: Jon Jensen <jon at endpoint.com>
Date: Mon Sep 7 23:03:18 2009 -0600
Make sure catalog TemplateDir directives are safe when NoAbsolute is set
commit 74803e29a89d02d353739b9ee4f74c9db3a88938
Author: Jon Jensen <jon at endpoint.com>
Date: Mon Sep 7 23:01:47 2009 -0600
Set $Vend::Cat as early as possible
This solves a chicken-and-egg problem for configuration-time code that
works fine once the catalog is fully configured.
-----------------------------------------------------------------------
Summary of changes and diff:
lib/Vend/Config.pm | 34 ++++++++++++++++++++--------------
1 files changed, 20 insertions(+), 14 deletions(-)
diff --git a/lib/Vend/Config.pm b/lib/Vend/Config.pm
index 6a19eb8..744423d 100644
--- a/lib/Vend/Config.pm
+++ b/lib/Vend/Config.pm
@@ -1006,6 +1006,8 @@ sub config {
my($catalog, $dir, $confdir, $subconfig, $existing, $passed_file) = @_;
my($d, $parse, $var, $value, $lvar);
+ $Vend::Cat = $catalog;
+
if(ref $existing eq 'HASH') {
#::logDebug("existing=$existing");
$C = $existing;
@@ -3577,9 +3579,16 @@ sub set_default_search {
},
ProductFiles => \&set_default_search,
VendRoot => sub {
+ my $cat_template_dirs = $C->{TemplateDir} || [];
+ if ($Global::NoAbsolute) {
+ for (@$cat_template_dirs) {
+ absolute_or_relative($_) and
+ config_error("TemplateDir path %s is prohibited by NoAbsolute", $_);
+ }
+ }
my @paths = map { quotemeta $_ }
$C->{VendRoot},
- @{$C->{TemplateDir} || []},
+ @$cat_template_dirs,
@{$Global::TemplateDir || []};
my $re = join "|", @paths;
$Global::AllowedFileRegex->{$C->{CatalogName}} = qr{^($re)};
@@ -3895,31 +3904,28 @@ sub parse_root_dir_array {
sub parse_dir_array {
my($var, $value) = @_;
return [] unless $value;
+
$value = "$C->{VendRoot}/$value"
unless file_name_is_absolute($value);
$value =~ s./+$..;
+
+ unless (allowed_file($value)) {
+ config_error('Path %s not allowed in %s directive',
+ $value, $var);
+ }
+
$C->{$var} = [] unless $C->{$var};
my $c = $C->{$var} || [];
push @$c, $value;
return $c;
}
-# Prepend the CatalogRoot pathname to the relative directory specified,
-# unless it already starts with a leading /.
-
sub parse_relative_dir {
my($var, $value) = @_;
- if ($Global::NoAbsolute) {
- # sanity check on filenames
- if (file_name_is_absolute($value)) {
- config_error('Absolute path %s not allowed in %s directive',
- $value, $var)
- }
- if ($value =~ m#^\.\./.*\.\.#) {
- config_error('Path %s outside of catalog directory not allowed in %s directive',
- $value, $var)
- }
+ if (absolute_or_relative($value)) {
+ config_error('Path %s not allowed in %s directive',
+ $value, $var);
}
$C->{Source}{$var} = $value;
hooks/post-receive
--
Interchange
More information about the interchange-cvs
mailing list