[rt-devel] templates need to be untainted too

Mon Apr 2 12:43:22 EDT 2001

Index: Template.pm
===================================================================
RCS file: /proj/maps/cvsroot/rt/lib/RT/Template.pm,v
retrieving revision 1.1.2.6
retrieving revision 1.6
diff -u -b -r1.1.2.6 -r1.6
@@ -273,11 +258,12 @@
   $T::Ticket = $args{'TicketObj'};
   $T::Transaction = $args{'TransactionObj'};
   $T::Argument = $args{'Argument'};
   $T::rtname=$RT::rtname;
   $T::WebRT=$RT::WebRT;
   
+  $self->Content =~ /^(.*)$/s; #untaint templates
   $template=Text::Template->new(TYPE=>STRING, 
-                               SOURCE=>$self->Content);
+                               SOURCE=>$1);
   
   return ($template->fill_in(PACKAGE=>T));
 }


-- 
meow
_ivan


