[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SF.net SVN: ledger-smb:[5042] branches/1.3
- Subject: SF.net SVN: ledger-smb:[5042] branches/1.3
- From: ..hidden..
- Date: Wed, 25 Jul 2012 10:53:37 +0000
Revision: 5042
http://ledger-smb.svn.sourceforge.net/ledger-smb/?rev=5042&view=rev
Author: einhverfr
Date: 2012-07-25 10:53:37 +0000 (Wed, 25 Jul 2012)
Log Message:
-----------
correcting directory transversal not allowed errors when using fs_cssdir
Modified Paths:
--------------
branches/1.3/Changelog
branches/1.3/LedgerSMB/AM.pm
Modified: branches/1.3/Changelog
===================================================================
--- branches/1.3/Changelog 2012-07-25 10:44:10 UTC (rev 5041)
+++ branches/1.3/Changelog 2012-07-25 10:53:37 UTC (rev 5042)
@@ -16,6 +16,7 @@
* File->get_for_template now gets most recent parts image (Chris T)
* Fixed error on generate purchase orders (Chris T, 3544857, h/t Nigel T)
* Fixed internal server errors with date parsing (Chris T, 3546698)
+* Fixed "Directory Transversal Not Allowed w/fs_cssdir (Chris T, h/t Robert C)
Changelog for 1.3.20
* Fixes for es_AR translation, duplicate keys removed (Andres B)
Modified: branches/1.3/LedgerSMB/AM.pm
===================================================================
--- branches/1.3/LedgerSMB/AM.pm 2012-07-25 10:44:10 UTC (rev 5041)
+++ branches/1.3/LedgerSMB/AM.pm 2012-07-25 10:53:37 UTC (rev 5042)
@@ -1501,6 +1501,11 @@
my @allowedsuff = qw(css tex txt html xml);
my $test = $form->{file};
+ $test =~ s|^$LedgerSMB::Sysconfig::fs_cssdir||;
+ if ($LedgerSMB::Sysconfig::fs_cssdir
+ and $LedgerSMB::Sysconfig::fs_cssdir !~ m|/$|){
+ $test =~ s|^/||;
+ }
if ($LedgerSMB::Sysconfig::templates =~ /^(.:)*?\//){
$test =~ s#^$LedgerSMB::Sysconfig::templates/?\\?##;
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.