diff options
| author | tetragon <tetragon@4979c152-3d1c-0410-bac9-87ea11338e46> | 2007-03-20 01:55:37 +0000 |
|---|---|---|
| committer | tetragon <tetragon@4979c152-3d1c-0410-bac9-87ea11338e46> | 2007-03-20 01:55:37 +0000 |
| commit | 585751b5d2dd484572e9c60751a4ea0a6e536fc5 (patch) | |
| tree | 4b6270da51b614805748efa065c2b6d2cb71f6e0 | |
| parent | 030ef4038357cabe10ecd747c8d163624ef812e7 (diff) | |
Whitelist the possible $form->{script} values
git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/branches/1.2@949 4979c152-3d1c-0410-bac9-87ea11338e46
| -rwxr-xr-x | LedgerSMB/Form.pm | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/LedgerSMB/Form.pm b/LedgerSMB/Form.pm index e873622d..f0cb545e 100755 --- a/LedgerSMB/Form.pm +++ b/LedgerSMB/Form.pm @@ -45,6 +45,8 @@ sub new { my $argstr = shift; + use List::Util qw(first); + read(STDIN, $_, $ENV{CONTENT_LENGTH}); if ($argstr){ @@ -79,13 +81,14 @@ sub new { bless $self, $type; - if ($form->{path} ne 'bin/lynx'){ $form->{path} = 'bin/mozilla';} + if ($self->{path} ne 'bin/lynx'){ $self->{path} = 'bin/mozilla';} if (($self->{script} =~ m#(..|\\|/)#)){ $self->error("Access Denied"); } - - + if (not first {$_ eq $self->{script}} @{LedgerSMB::Sysconfig::scripts}){ + $self->error('Access Denied'); + } if (($self->{action} =~ /:/) || ($self->{nextsub} =~ /:/)){ $self->error("Access Denied"); @@ -213,9 +216,8 @@ sub error { if ($ENV{error_function}) { &{ $ENV{error_function} }($msg); - } else { - die "Error: $msg\n"; } + die "Error: $msg\n"; } } |