[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SF.net SVN: ledger-smb: [493] trunk
- Subject: SF.net SVN: ledger-smb: [493] trunk
- From: ..hidden..
- Date: Tue, 07 Nov 2006 15:47:18 -0800
Revision: 493
http://svn.sourceforge.net/ledger-smb/?rev=493&view=rev
Author: tetragon
Date: 2006-11-07 15:47:14 -0800 (Tue, 07 Nov 2006)
Log Message:
-----------
Whitelist redirect destination
Modified Paths:
--------------
trunk/LedgerSMB/Form.pm
trunk/LedgerSMB/Sysconfig.pm
trunk/bin/am.pl
Modified: trunk/LedgerSMB/Form.pm
===================================================================
--- trunk/LedgerSMB/Form.pm 2006-11-07 23:07:07 UTC (rev 492)
+++ trunk/LedgerSMB/Form.pm 2006-11-07 23:47:14 UTC (rev 493)
@@ -321,6 +321,8 @@
if ($self->{callback}) {
my ($script, $argv) = split(/\?/, $self->{callback});
+ $self->error($locale->text("Invalid redirect")) unless
+ grep {/$script/} @{LedgerSMB::Sysconfig::scripts};
exec ("perl", $script, $argv);
} else {
Modified: trunk/LedgerSMB/Sysconfig.pm
===================================================================
--- trunk/LedgerSMB/Sysconfig.pm 2006-11-07 23:07:07 UTC (rev 492)
+++ trunk/LedgerSMB/Sysconfig.pm 2006-11-07 23:47:14 UTC (rev 493)
@@ -13,6 +13,12 @@
@io_lineitem_columns = qw(unit onhand sellprice discount linetotal);
+# Whitelist for redirect destination
..hidden.. = ('aa.pl', 'admin.pl', 'am.pl', 'ap.pl', 'ar.pl', 'arap.pl',
+ 'arapprn.pl', 'bp.pl', 'ca.pl', 'cp.pl', 'ct.pl', 'gl.pl', 'hr.pl',
+ 'ic.pl', 'io.pl', 'ir.pl', 'is.pl', 'jc.pl', 'login.pl', 'menu.pl',
+ 'oe.pl', 'pe.pl', 'pos.pl', 'ps.pl', 'pw.pl', 'rc.pl', 'rp.pl');
+
# if you have latex installed set to 1
$latex = 1;
Modified: trunk/bin/am.pl
===================================================================
--- trunk/bin/am.pl 2006-11-07 23:07:07 UTC (rev 492)
+++ trunk/bin/am.pl 2006-11-07 23:47:14 UTC (rev 493)
@@ -3202,6 +3202,8 @@
@a = ("perl", "$form->{script}", "action=reprint&module=$form->{module}&type=$form->{type}&login=$form->{login}&path=$form->{path}&sessionid=$form->{sessionid}&id=$form->{id}&formname=$f[$j]&format=$f[$j+1]&media=$media&vc=$form->{vc}&ARAP=$form->{ARAP}");
+ $form->error($locale->text('Invalid redirect')) unless
+ grep {/$form->{script}/} @{LedgerSMB::Sysconfig::scripts};
$ok = !(system(@a));
if ($ok) {
@@ -3241,6 +3243,8 @@
@a = ("perl", "$form->{script}", "action=reprint&module=$form->{module}&type=$form->{type}&login=$form->{login}&path=$form->{path}&sessionid=$form->{sessionid}&id=$form->{id}&formname=$f[$j]&format=$f[$j+1]&media=email&vc=$form->{vc}&ARAP=$form->{ARAP}&message=$message");
+ $form->error($locale->text('Invalid redirect')) unless
+ grep {/$form->{script}/} @{LedgerSMB::Sysconfig::scripts};
$ok = !(system(@a));
if ($ok) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.