From 3873a1567288326197e0513548e5b0bea128d466 Mon Sep 17 00:00:00 2001 From: tetragon Date: Tue, 7 Nov 2006 23:47:14 +0000 Subject: Whitelist redirect destination git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/trunk@493 4979c152-3d1c-0410-bac9-87ea11338e46 --- LedgerSMB/Form.pm | 2 ++ LedgerSMB/Sysconfig.pm | 6 ++++++ bin/am.pl | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/LedgerSMB/Form.pm b/LedgerSMB/Form.pm index a3005ee9..94f21142 100755 --- a/LedgerSMB/Form.pm +++ b/LedgerSMB/Form.pm @@ -321,6 +321,8 @@ sub redirect { if ($self->{callback}) { my ($script, $argv) = split(/\?/, $self->{callback}); + $self->error($locale->text("Invalid redirect")) unless + grep {/$script/} @{LedgerSMB::Sysconfig::scripts}; exec ("perl", $script, $argv); } else { diff --git a/LedgerSMB/Sysconfig.pm b/LedgerSMB/Sysconfig.pm index 4e79f72a..f4445e2f 100644 --- a/LedgerSMB/Sysconfig.pm +++ b/LedgerSMB/Sysconfig.pm @@ -13,6 +13,12 @@ $logging=0; # No logging on by default @io_lineitem_columns = qw(unit onhand sellprice discount linetotal); +# Whitelist for redirect destination +@scripts = ('aa.pl', 'admin.pl', 'am.pl', 'ap.pl', 'ar.pl', 'arap.pl', + 'arapprn.pl', 'bp.pl', 'ca.pl', 'cp.pl', 'ct.pl', 'gl.pl', 'hr.pl', + 'ic.pl', 'io.pl', 'ir.pl', 'is.pl', 'jc.pl', 'login.pl', 'menu.pl', + 'oe.pl', 'pe.pl', 'pos.pl', 'ps.pl', 'pw.pl', 'rc.pl', 'rp.pl'); + # if you have latex installed set to 1 $latex = 1; diff --git a/bin/am.pl b/bin/am.pl index 7931ff92..d1c3260d 100755 --- a/bin/am.pl +++ b/bin/am.pl @@ -3202,6 +3202,8 @@ sub print_recurring { @a = ("perl", "$form->{script}", "action=reprint&module=$form->{module}&type=$form->{type}&login=$form->{login}&path=$form->{path}&sessionid=$form->{sessionid}&id=$form->{id}&formname=$f[$j]&format=$f[$j+1]&media=$media&vc=$form->{vc}&ARAP=$form->{ARAP}"); + $form->error($locale->text('Invalid redirect')) unless + grep {/$form->{script}/} @{LedgerSMB::Sysconfig::scripts}; $ok = !(system(@a)); if ($ok) { @@ -3241,6 +3243,8 @@ sub email_recurring { @a = ("perl", "$form->{script}", "action=reprint&module=$form->{module}&type=$form->{type}&login=$form->{login}&path=$form->{path}&sessionid=$form->{sessionid}&id=$form->{id}&formname=$f[$j]&format=$f[$j+1]&media=email&vc=$form->{vc}&ARAP=$form->{ARAP}&message=$message"); + $form->error($locale->text('Invalid redirect')) unless + grep {/$form->{script}/} @{LedgerSMB::Sysconfig::scripts}; $ok = !(system(@a)); if ($ok) { -- cgit v1.2.3