From 62f1f9732b746a84a1fd3ee67b70f7a297fcdb42 Mon Sep 17 00:00:00 2001
From: joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>
Date: Thu, 23 Mar 2006 04:33:35 +0000
Subject: found & fixed another symlink attack

---
 ikiwiki | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'ikiwiki')

diff --git a/ikiwiki b/ikiwiki
index 78aa65ce2..6b8a51535 100755
--- a/ikiwiki
+++ b/ikiwiki
@@ -152,6 +152,10 @@ sub htmlpage ($) { #{{{
 sub readfile ($) { #{{{
 	my $file=shift;
 
+	if (-l $file) {
+		error("cannot read a symlink ($file)");
+	}
+	
 	local $/=undef;
 	open (IN, "$file") || error("failed to read $file: $!");
 	my $ret=<IN>;
@@ -162,6 +166,10 @@ sub readfile ($) { #{{{
 sub writefile ($$) { #{{{
 	my $file=shift;
 	my $content=shift;
+	
+	if (-l $file) {
+		error("cannot write to a symlink ($file)");
+	}
 
 	my $dir=dirname($file);
 	if (! -d $dir) {
@@ -1334,7 +1342,7 @@ sub cgi_editpage ($$) { #{{{
 			    ! length $form->field('content')) {
 				my $content="";
 				if (exists $pagesources{lc($page)}) {
-						$content=readfile("$config{srcdir}/$pagesources{lc($page)}");
+					$content=readfile("$config{srcdir}/$pagesources{lc($page)}");
 					$content=~s/\n/\r\n/g;
 				}
 				$form->field(name => "content", value => $content,
-- 
cgit v1.2.3