[interchange-cvs] interchange - heins modified 2 files

[interchange-core@interchange.redhat.com]

User:      heins
Date:      2001-10-17 17:41:25 GMT
Modified:  lib/Vend Tag: STABLE_4_8-branch Config.pm Interpolate.pm
Log:
	* Close security hole by disabling Safe :base_io group by default.

	  Found by Jon. 8-)

	* Do this by adding SafeTrap directive and setting to :base_io.

Revision  Changes    Path
No                   revision



No                   revision



2.2.2.4   +4 -2      interchange/lib/Vend/Config.pm


rev 2.2.2.4, prev_rev 2.2.2.3
Index: Config.pm
===================================================================
RCS file: /anon_cvs/repository/interchange/lib/Vend/Config.pm,v
retrieving revision 2.2.2.3
retrieving revision 2.2.2.4
diff -u -r2.2.2.3 -r2.2.2.4
--- Config.pm	2001/10/13 23:10:23	2.2.2.3
+++ Config.pm	2001/10/17 17:41:24	2.2.2.4
@@ -1,6 +1,6 @@
 # Vend::Config - Configure Interchange
 #
-# $Id: Config.pm,v 2.2.2.3 2001/10/13 23:10:23 mheins Exp $
+# $Id: Config.pm,v 2.2.2.4 2001/10/17 17:41:24 mheins Exp $
 #
 # Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -95,7 +95,7 @@
 use Vend::Parse;
 use Vend::Util;
 
-$VERSION = substr(q$Revision: 2.2.2.3 $, 10);
+$VERSION = substr(q$Revision: 2.2.2.4 $, 10);
 
 my %CDname;
 
@@ -324,6 +324,7 @@
 	['PIDcheck',		 'integer',          '0'],
 	['LockoutCommand',    undef,             ''],
 	['SafeUntrap',       'array',            'ftfile sort'],
+	['SafeTrap',         'array',            ':base_io'],
 	['NoAbsolute',		 'yesno',			 'No'],
 	['AllowGlobal',		 'boolean',			 ''],
 	['AddDirective',	 'directive',		 ''],
@@ -2981,6 +2982,7 @@
 			my $code = $val;
 			$code =~ s'$Vend::Session->'$foo'g;
 			$code =~ s'$Vend::Cfg->'$bar'g;
+			$safe->trap(@{$Global::SafeTrap});
 			$safe->untrap(@{$Global::SafeUntrap});
 			$sub = $safe->reval($code);
 			if($@) {



2.9.2.6   +5 -2      interchange/lib/Vend/Interpolate.pm


rev 2.9.2.6, prev_rev 2.9.2.5
Index: Interpolate.pm
===================================================================
RCS file: /anon_cvs/repository/interchange/lib/Vend/Interpolate.pm,v
retrieving revision 2.9.2.5
retrieving revision 2.9.2.6
diff -u -r2.9.2.5 -r2.9.2.6
--- Interpolate.pm	2001/10/13 23:10:23	2.9.2.5
+++ Interpolate.pm	2001/10/17 17:41:24	2.9.2.6
@@ -1,6 +1,6 @@
 # Vend::Interpolate - Interpret Interchange tags
 # 
-# $Id: Interpolate.pm,v 2.9.2.5 2001/10/13 23:10:23 mheins Exp $
+# $Id: Interpolate.pm,v 2.9.2.6 2001/10/17 17:41:24 mheins Exp $
 #
 # Copyright (C) 1996-2001 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -27,7 +27,7 @@
 require Exporter;
 @ISA = qw(Exporter);
 
-$VERSION = substr(q$Revision: 2.9.2.5 $, 10);
+$VERSION = substr(q$Revision: 2.9.2.6 $, 10);
 
 @EXPORT = qw (
 
@@ -159,6 +159,7 @@
 use vars qw/%Filter %Ship_handler $Safe_data/;
 
 $ready_safe = new Safe;
+$ready_safe->trap(qw/:base_io/);
 $ready_safe->untrap(qw/sort ftfile/);
 
 sub reset_calc {
@@ -173,6 +174,7 @@
 		$ready_safe = new Safe $pkg;
 		$ready_safe->share_from('MVSAFE', ['$safe']);
 #::logDebug("new safe made=$ready_safe->{Root}");
+		$ready_safe->trap(@{$Global::SafeTrap});
 		$ready_safe->untrap(@{$Global::SafeUntrap});
 		no strict 'refs';
 		$Document   = new Vend::Document;
@@ -1384,6 +1386,7 @@
 	RUNSAFE: {
 		last RUNSAFE if defined $status;
 		last RUNSAFE if $status = ($noop && $op);
+		$ready_safe->trap(@{$Global::SafeTrap});
 		$ready_safe->untrap(@{$Global::SafeUntrap});
 		$status = $ready_safe->reval($op)
 			unless ($@ or $status);