[Rt-commit] rt branch, 3.8-trunk, updated. rt-3.8.7-152-ge7431db
sartak at bestpractical.com
sartak at bestpractical.com
Tue Feb 9 22:51:08 EST 2010
The branch, 3.8-trunk has been updated
via e7431dbebb6989563b770cceeafdbf1d02627492 (commit)
from 306df9019b263bee09d5c5e564179849f7c59536 (commit)
Summary of changes:
lib/RT/Interface/Web.pm | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
- Log -----------------------------------------------------------------
commit e7431dbebb6989563b770cceeafdbf1d02627492
Author: Shawn M Moore <sartak at bestpractical.com>
Date: Tue Feb 9 22:50:10 2010 -0500
Reject paths for which canonpath returns undef
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index fccfdb2..d6b854f 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -575,6 +575,11 @@ sub PathIsSafe {
# Get File::Spec to clean up extra /s, ./, etc
my $cleaned_up = File::Spec->canonpath($path);
+ if (!defined($cleaned_up)) {
+ $RT::Logger->info("Rejecting path that canonpath doesn't understand: $path");
+ return 0;
+ }
+
# Forbid too many ..s. We can't just sum then check because
# "../foo/bar/baz" should be illegal even though it has more
# downdirs than updirs. So as soon as we get a negative score
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list