[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SF.net SVN: ledger-smb: [175] trunk

Revision: 175
          http://svn.sourceforge.net/ledger-smb/?rev=175&view=rev
Author:   tetragon
Date:     2006-10-01 21:36:31 -0700 (Sun, 01 Oct 2006)

Log Message:
-----------
Adding file location checks to the template editor

Modified Paths:
--------------
    trunk/LedgerSMB/AM.pm
    trunk/bin/mozilla/am.pl

Modified: trunk/LedgerSMB/AM.pm
===================================================================
--- trunk/LedgerSMB/AM.pm	2006-09-30 15:01:08 UTC (rev 174)
+++ trunk/LedgerSMB/AM.pm	2006-10-02 04:36:31 UTC (rev 175)
@@ -1230,10 +1230,35 @@
 }
 
 
+sub check_template_name {
+
+	my ($self, $myconfig, $form) = @_;
+
+	my @allowedsuff = qw(css tex txt html xml);
+	if ($form->{file} =~ /\.\./){
+		$form->error("Directory transversal not allowed.");
+	}
+	my $whitelisted = 0;
+	for (@allowedsuff){
+		if ($form->{file} =~ /$_$/){
+			$whitelisted = 1;
+		}
+	}
+	if (!$whitelisted){
+		$form->error("Error:  File is of type that is not allowed.");
+	}
+
+	if ($form->{file} !~ /^$myconfig->{templates}/){
+		$form->error("$!: $form->{file}") unless $form->{file} =~ /^css/;
+	}
+}
+
+
 sub load_template {
 
-	my ($self, $form) = @_;
+	my ($self, $myconfig, $form) = @_;
 
+	$self->check_template_name(\%$myconfig, \%$form);
 	open(TEMPLATE, "$form->{file}") or $form->error("$form->{file} : $!");
 
 	while (<TEMPLATE>) {
@@ -1247,22 +1272,9 @@
 
 sub save_template {
 
-	my ($self, $form) = @_;
+	my ($self, $myconfig, $form) = @_;
 
-	my @allowedsuff = qw(css tex txt html xml);
-	if ($form->{file} =~ /\.\./){
-		$form->error("Directory transversal not allowed.");
-	}
-	my $whitelisted = 0;
-	for (@allowedsuff){
-		if ($form->{file} =~ /$_$/){
-			$whitelisted = 1;
-		}
-	}
-	if (!$whitelisted){
-		$form->error("Error:  File is of type that is not allowed.");
-	}
-
+	$self->check_template_name(\%$myconfig, \%$form);
 	open(TEMPLATE, ">$form->{file}") or $form->error("$form->{file} : $!");
 
 	# strip 

Modified: trunk/bin/mozilla/am.pl
===================================================================
--- trunk/bin/mozilla/am.pl	2006-09-30 15:01:08 UTC (rev 174)
+++ trunk/bin/mozilla/am.pl	2006-10-02 04:36:31 UTC (rev 175)
@@ -1598,7 +1598,7 @@
 
   $form->error("$!: $form->{file}") unless -f $form->{file};
 
-  AM->load_template(\%$form);
+  AM->load_template(\%myconfig, \%$form);
 
   $form->{title} = $form->{file};
 
@@ -1643,7 +1643,7 @@
 
 sub edit_template {
 
-  AM->load_template(\%$form);
+  AM->load_template(\%myconfig, \%$form);
 
   $form->{title} = $locale->text('Edit Template');
   # convert &nbsp to &amp;nbsp;
@@ -1691,7 +1691,7 @@
 
 sub save_template {
 
-  AM->save_template(\%$form);
+  AM->save_template(\%myconfig, \%$form);
   $form->redirect($locale->text('Template saved!'));
   
 }


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.