[interchange-cvs] interchange - heins modified lib/Vend/Util.pm

[interchange-cvs at icdevgroup.org]

User:      heins
Date:      2003-12-15 22:55:01 GMT
Modified:  lib/Vend Tag: STABLE_5_0-branch Util.pm
Log:
* Backport possible file security problem with code/SQL injection.

Revision  Changes    Path
No                   revision



No                   revision



2.64.2.1  +8 -2      interchange/lib/Vend/Util.pm


rev 2.64.2.1, prev_rev 2.64
Index: Util.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Util.pm,v
retrieving revision 2.64
retrieving revision 2.64.2.1
diff -u -r2.64 -r2.64.2.1
--- Util.pm	4 Aug 2003 05:01:37 -0000	2.64
+++ Util.pm	15 Dec 2003 22:55:00 -0000	2.64.2.1
@@ -1,6 +1,6 @@
 # Vend::Util - Interchange utility functions
 #
-# $Id: Util.pm,v 2.64 2003/08/04 05:01:37 mheins Exp $
+# $Id: Util.pm,v 2.64.2.1 2003/12/15 22:55:00 mheins Exp $
 # 
 # Copyright (C) 2002-2003 Interchange Development Group
 # Copyright (C) 1996-2002 Red Hat, Inc.
@@ -87,7 +87,7 @@
 use Vend::File;
 use subs qw(logError logGlobal);
 use vars qw($VERSION @EXPORT @EXPORT_OK);
-$VERSION = substr(q$Revision: 2.64 $, 10);
+$VERSION = substr(q$Revision: 2.64.2.1 $, 10);
 
 my $Eval_routine;
 my $Eval_routine_file;
@@ -1024,6 +1024,12 @@
 
     my($fn, $contents, $gate, $pathdir, $dir, $level);
     local($/);
+
+	if($file =~ m{[\[<]}) {
+		::logGlobal("Possible code/SQL injection attempt with file name '%s'", $file);
+		$file = escape_chars($file);
+		::logGlobal("Suspect file changed to '%s'", $file);
+	}
 
 	$Global::Variable->{MV_PREV_PAGE} = $Global::Variable->{MV_PAGE}
 		if defined $Global::Variable->{MV_PAGE};