[ic] Re: Security hole in IC admin
Jon Jensen
jon@akopia.com
Mon, 16 Apr 2001 18:26:03 -0500 (CDT)
Oops. I made a mistake in one of the patches. Using the localization
function errmsg() in do_view works in 4.7.x, but it 4.6.x it generates an
error. (The function was not imported into the current package namespace.)
This error still keeps the file from being displayed, but it's not ideal.
A better patch follows. Sorry about that.
Jon
Index: do_view.html
===================================================================
RCS file: /anon_cvs/repository/interchange/dist/lib/UI/pages/admin/do_view.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- do_view.html 2000/08/05 13:55:37 1.2
+++ do_view.html 2001/04/14 22:28:29 1.3
@@ -1,6 +1,10 @@
[seti total_junk][perl]
delete $Scratch->{violation};
$_ = delete $Session->{arg};
+ $Scratch->{violation} = 'Must be logged in.'
+ unless $Session->{logged_in};
+ $Scratch->{violation} = 'Must be logged in as admin.'
+ unless $Session->{admin};
$Scratch->{violation} = 'No .. allowed in file name.'
if m{\.\./};
$Scratch->{violation} = 'No | allowed.'