From: <sa...@da...> - 2005-12-19 23:34:27
|
Log Message: ----------- (Re-commit after CVS restore) Fixed a flaw in Krang::Handler that allowed access to any file via the root handler. Now only image files and the two Krang CSS files are accessable without logging-in. Modified Files: -------------- krang/lib/Krang: Handler.pm Revision Data ------------- Index: Handler.pm =================================================================== RCS file: /usr/local/krang-cvs/krang/lib/Krang/Handler.pm,v retrieving revision 1.31 retrieving revision 1.32 diff -Llib/Krang/Handler.pm -Llib/Krang/Handler.pm -u -r1.31 -r1.32 --- lib/Krang/Handler.pm +++ lib/Krang/Handler.pm @@ -196,8 +196,8 @@ } } - # Allow requests for other assets to pass through normally - return DECLINED unless ($uri eq '/'); + # stop other requests unless they're for the root + return FORBIDDEN unless ($uri eq '/'); # We're looking at the root. Set handler to show list of instances $r->handler("perl-script"); @@ -309,10 +309,11 @@ return OK; } - # always allow access to the CSS file and the logo - needed before + # always allow access to the CSS file and images - needed before # login to display the login screen - return OK if $path =~ m!krang\.css$! or $path =~ m!logo\.gif$!; - + return OK if $path =~ m!krang(_login)?\.css$! + or $path =~ m!\.(gif|jpg|png)$!; + # If user is logged in, we're done return OK if (defined($r->connection->user())); |