[interchange-cvs] [SCM] Interchange branch, master, updated. f265e8a282e61bb46a14ebfd41a842f13d96db17

Jon Jensen interchange-cvs at icdevgroup.org
Wed Sep 2 01:56:22 UTC 2009 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Interchange".

The branch, master has been updated
       via  f265e8a282e61bb46a14ebfd41a842f13d96db17 (commit)
      from  104d0006f1d7f6bb1d34508b0cf91b47a30b15e9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f265e8a282e61bb46a14ebfd41a842f13d96db17
Author: Jon Jensen <jon at endpoint.com>
Date:   Tue Sep 1 19:53:25 2009 -0600

    Prevent TemplateDir from circumventing NoAbsolute constraints
    
    Problem reported by Peter Ajamian.

-----------------------------------------------------------------------

Summary of changes and diff:
 dist/test/products/tests.asc |   23 +++++++++++++++++++++++
 lib/Vend/File.pm             |    8 +++++---
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/dist/test/products/tests.asc b/dist/test/products/tests.asc
index bf154a8..9d3df92 100644
--- a/dist/test/products/tests.asc
+++ b/dist/test/products/tests.asc
@@ -2997,6 +2997,29 @@ Should succeed: 1
 %%
 Verify fix of AllowedFileRegex circumvention
 %%%
+000167
+%%
+[calcn]
+    # /etc/passwd makes a good demonstration
+    unshift @{$Config->{TemplateDir}}, '/etc';
+    return;
+[/calcn]
+<pre>[file passwd]</pre>
+[calcn]
+    # clean up after our mess
+    shift @{$Config->{TemplateDir}};
+    return;
+[/calcn]
+%%
+
+<pre></pre>
+
+%%
+%%
+
+%%
+Verify fix of TemplateDir circumvention of NoAbsolute constraints
+%%%
 999999
 %%
 [the test] [perl]
diff --git a/lib/Vend/File.pm b/lib/Vend/File.pm
index a575ce8..e456bf6 100644
--- a/lib/Vend/File.pm
+++ b/lib/Vend/File.pm
@@ -215,9 +215,11 @@ sub readfile {
 		$file = $ifile;
 	}
 	else {
-		for( ".", @{$Vend::Cfg->{TemplateDir} || []}, @{$Global::TemplateDir || []}) {
-			next if ! -f "$_/$ifile";
-			$file = "$_/$ifile";
+		for (".", @{$Vend::Cfg->{TemplateDir} || []}, @{$Global::TemplateDir || []}) {
+			my $candidate = "$_/$ifile";
+			log_file_violation($candidate), next if ! allowed_file($candidate);
+			next if ! -f $candidate;
+			$file = $candidate;
 			last;
 		}
 	}


hooks/post-receive
-- 
Interchange

More information about the interchange-cvs mailing list