summaryrefslogtreecommitdiff
path: root/LedgerSMB
diff options
context:
space:
mode:
authortetragon <tetragon@4979c152-3d1c-0410-bac9-87ea11338e46>2006-11-07 23:47:14 +0000
committertetragon <tetragon@4979c152-3d1c-0410-bac9-87ea11338e46>2006-11-07 23:47:14 +0000
commit3873a1567288326197e0513548e5b0bea128d466 (patch)
treea207c2991d1b4996d1adba9488f88c462edcbbd8 /LedgerSMB
parent9ad4354cd37c91a8643da0156ec7cff2d26d2e4b (diff)
Whitelist redirect destination
git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/trunk@493 4979c152-3d1c-0410-bac9-87ea11338e46
Diffstat (limited to 'LedgerSMB')
-rwxr-xr-xLedgerSMB/Form.pm2
-rw-r--r--LedgerSMB/Sysconfig.pm6
2 files changed, 8 insertions, 0 deletions
diff --git a/LedgerSMB/Form.pm b/LedgerSMB/Form.pm
index a3005ee9..94f21142 100755
--- a/LedgerSMB/Form.pm
+++ b/LedgerSMB/Form.pm
@@ -321,6 +321,8 @@ sub redirect {
if ($self->{callback}) {
my ($script, $argv) = split(/\?/, $self->{callback});
+ $self->error($locale->text("Invalid redirect")) unless
+ grep {/$script/} @{LedgerSMB::Sysconfig::scripts};
exec ("perl", $script, $argv);
} else {
diff --git a/LedgerSMB/Sysconfig.pm b/LedgerSMB/Sysconfig.pm
index 4e79f72a..f4445e2f 100644
--- a/LedgerSMB/Sysconfig.pm
+++ b/LedgerSMB/Sysconfig.pm
@@ -13,6 +13,12 @@ $logging=0; # No logging on by default
@io_lineitem_columns = qw(unit onhand sellprice discount linetotal);
+# Whitelist for redirect destination
+@scripts = ('aa.pl', 'admin.pl', 'am.pl', 'ap.pl', 'ar.pl', 'arap.pl',
+ 'arapprn.pl', 'bp.pl', 'ca.pl', 'cp.pl', 'ct.pl', 'gl.pl', 'hr.pl',
+ 'ic.pl', 'io.pl', 'ir.pl', 'is.pl', 'jc.pl', 'login.pl', 'menu.pl',
+ 'oe.pl', 'pe.pl', 'pos.pl', 'ps.pl', 'pw.pl', 'rc.pl', 'rp.pl');
+
# if you have latex installed set to 1
$latex = 1;