[interchange-cvs] interchange - heins modified lib/Vend/Util.pm

interchange-core@icdevgroup.org interchange-core@icdevgroup.org
Thu Mar 27 11:53:00 2003


User:      heins
Date:      2003-03-27 16:52:59 GMT
Modified:  lib/Vend Util.pm
Log:
* Add absolute_or_relative() routine to check whether a file name
  is either absolute or contains a ../ component.

  This is a stopgap routine only -- it is quite likely that we should
  do something a bit more useful for checking file security.

  For instance, there are many cases where we check for NoAbsolute and
  then do varied check routines. I guess it would make sense to have
  that just be one call to a subroutine.

  The reason it was done that way originally was to prevent unnecessary
  subroutine call overhead, as the original default for NoAbsolute was
  unset, but now that the default is "Yes" it would be better to do it.
  Improvements in Perl and processor speed have made subroutine overhead
  a smaller problem in non-looping situations like this.

Revision  Changes    Path
2.55      +52 -4     interchange/lib/Vend/Util.pm


rev 2.55, prev_rev 2.54
Index: Util.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Util.pm,v
retrieving revision 2.54
retrieving revision 2.55
diff -u -r2.54 -r2.55
--- Util.pm	20 Mar 2003 23:31:24 -0000	2.54
+++ Util.pm	27 Mar 2003 16:52:59 -0000	2.55
@@ -1,6 +1,6 @@
 # Vend::Util - Interchange utility functions
 #
-# $Id: Util.pm,v 2.54 2003/03/20 23:31:24 racke Exp $
+# $Id: Util.pm,v 2.55 2003/03/27 16:52:59 mheins Exp $
 # 
 # Copyright (C) 1996-2002 Red Hat, Inc. <interchange@redhat.com>
 #
@@ -85,7 +85,7 @@
 use Safe;
 use subs qw(logError logGlobal);
 use vars qw($VERSION @EXPORT @EXPORT_OK);
-$VERSION = substr(q$Revision: 2.54 $, 10);
+$VERSION = substr(q$Revision: 2.55 $, 10);
 
 my $Eval_routine;
 my $Eval_routine_file;
@@ -952,6 +952,48 @@
 	return \%hash;
 }
 
+## Takes an IC scalar form value (parm=val\nparm2=val) and translates it
+## to a reference
+
+sub scalar_to_hash {
+	my $val = shift;
+
+	$val =~ s/^\s+//mg;
+	$val =~ s/\s+$//mg;
+	my @args;
+
+	@args = split /\n+/, $val;
+
+	my $ref = {};
+
+	for(@args) {
+		m!([^=]+)=(.*)!
+			and $ref->{$1} = $2;
+	}
+	return $ref;
+}
+
+## Takes a form reference (i.e. from \%CGI::values) and makes into a
+## scalar value value (i.e. parm=val\nparm2=val). Also translates it
+## via HTML entities -- it is designed to make it into a hidden
+## form value
+
+sub hash_to_scalar {
+	my $ref = shift
+		or return '';
+
+	unless (ref($ref) eq 'HASH') {
+		die __PACKAGE__ . " hash_to_scalar routine got bad reference.\n";
+	}
+
+	my @parms;
+	while( my($k, $v) = each %$ref ) {
+		$v =~ s/\r?\n/\r/g;
+		push @parms, HTML::Entities::encode("$k=$v");
+	}
+	return join "\n", @parms;
+}
+
 ## This simply returns a hash of words, which may be quoted shellwords
 ## Replaces most of parse_hash in Vend::Config
 sub hash_string {
@@ -2019,11 +2061,17 @@
 # Can't use that because it INSISTS on object
 # calls without returning a blessed object
 
-my $abspat = $^O =~ /win32/i ? '^([a-z]:)?[\\\\/]' : '^/';
+my $abspat = $^O =~ /win32/i ? qr{^([a-zA-Z]:)?[\\/]} : qr{^/};
+my $relpat = qr{\.\.[\\/]};
 
 sub file_name_is_absolute {
     my($file) = @_;
-    $file =~ m{$abspat}oi ;
+    $file =~ $abspat;
+}
+
+sub absolute_or_relative {
+    my($file) = @_;
+    $file =~ $abspat or $file =~ $relpat;
 }
 
 sub win_catfile {