[interchange-cvs] interchange - heins modified lib/Vend/Util.pm

[interchange-cvs at icdevgroup.org]

User:      heins
Date:      2003-12-15 22:25:31 GMT
Modified:  lib/Vend Tag: STABLE_4_8-branch Util.pm
Log:
* Fix possible SQL/code injection vector

Revision  Changes    Path
No                   revision



No                   revision



2.1.2.14  +8 -2      interchange/lib/Vend/Util.pm


rev 2.1.2.14, prev_rev 2.1.2.13
Index: Util.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Util.pm,v
retrieving revision 2.1.2.13
retrieving revision 2.1.2.14
diff -u -r2.1.2.13 -r2.1.2.14
--- Util.pm	24 Jan 2003 06:51:52 -0000	2.1.2.13
+++ Util.pm	15 Dec 2003 22:25:30 -0000	2.1.2.14
@@ -1,6 +1,6 @@
 # Vend::Util - Interchange utility functions
 #
-# $Id: Util.pm,v 2.1.2.13 2003/01/24 06:51:52 jon Exp $
+# $Id: Util.pm,v 2.1.2.14 2003/12/15 22:25:30 mheins Exp $
 # 
 # Copyright (C) 1996-2003 Red Hat, Inc. and
 # Interchange Development Group, http://www.icdevgroup.org/
@@ -75,7 +75,7 @@
 use Errno;
 use subs qw(logError logGlobal);
 use vars qw($VERSION @EXPORT @EXPORT_OK);
-$VERSION = substr(q$Revision: 2.1.2.13 $, 10);
+$VERSION = substr(q$Revision: 2.1.2.14 $, 10);
 
 BEGIN {
 	eval {
@@ -892,6 +892,12 @@
     my($file, $only) = @_;
     my($fn, $contents, $gate, $pathdir, $dir, $level);
     local($/);
+
+	if($file =~ m{[\[<]}) {
+		::logGlobal("Possible code/SQL injection attempt with file name '%s'", $file);
+		$file = escape_chars($file);
+		::logGlobal("Suspect file changed to '%s'", $file);
+	}
 
 	$Global::Variable->{MV_PREV_PAGE} = $Global::Variable->{MV_PAGE}
 		if defined $Global::Variable->{MV_PAGE};