interchange-cvs at icdevgroup
Sep 1, 2009, 6:56 PM
Post #1 of 1
(267 views)
Permalink
|
|
[SCM] Interchange branch, master, updated. f265e8a282e61bb46a14ebfd41a842f13d96db17
|
|
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Interchange".
The branch, master has been updated
via f265e8a282e61bb46a14ebfd41a842f13d96db17 (commit)
from 104d0006f1d7f6bb1d34508b0cf91b47a30b15e9 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f265e8a282e61bb46a14ebfd41a842f13d96db17
Author: Jon Jensen <jon [at] endpoint>
Date: Tue Sep 1 19:53:25 2009 -0600
Prevent TemplateDir from circumventing NoAbsolute constraints
Problem reported by Peter Ajamian.
-----------------------------------------------------------------------
Summary of changes and diff:
dist/test/products/tests.asc | 23 +++++++++++++++++++++++
lib/Vend/File.pm | 8 +++++---
2 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/dist/test/products/tests.asc b/dist/test/products/tests.asc
index bf154a8..9d3df92 100644
--- a/dist/test/products/tests.asc
+++ b/dist/test/products/tests.asc
@@ -2997,6 +2997,29 @@ Should succeed: 1
%%
Verify fix of AllowedFileRegex circumvention
%%%
+000167
+%%
+[calcn]
+ # /etc/passwd makes a good demonstration
+ unshift @{$Config->{TemplateDir}}, '/etc';
+ return;
+[/calcn]
+<pre>[file passwd]</pre>
+[calcn]
+ # clean up after our mess
+ shift @{$Config->{TemplateDir}};
+ return;
+[/calcn]
+%%
+
+<pre></pre>
+
+%%
+%%
+
+%%
+Verify fix of TemplateDir circumvention of NoAbsolute constraints
+%%%
999999
%%
[the test] [perl]
diff --git a/lib/Vend/File.pm b/lib/Vend/File.pm
index a575ce8..e456bf6 100644
--- a/lib/Vend/File.pm
+++ b/lib/Vend/File.pm
@@ -215,9 +215,11 @@ sub readfile {
$file = $ifile;
}
else {
- for( ".", @{$Vend::Cfg->{TemplateDir} || []}, @{$Global::TemplateDir || []}) {
- next if ! -f "$_/$ifile";
- $file = "$_/$ifile";
+ for (".", @{$Vend::Cfg->{TemplateDir} || []}, @{$Global::TemplateDir || []}) {
+ my $candidate = "$_/$ifile";
+ log_file_violation($candidate), next if ! allowed_file($candidate);
+ next if ! -f $candidate;
+ $file = $candidate;
last;
}
}
hooks/post-receive
--
Interchange
_______________________________________________
interchange-cvs mailing list
interchange-cvs [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-cvs
|
