[Sandweb-commit] CVS: sandweb/lib/SandWeb Security.pm,NONE,1.1 Browse.pm,1.78,1.79

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/sandweb/sandweb/lib/SandWeb
In directory usw-pr-cvs1:/tmp/cvs-serv17665/lib/SandWeb

Modified Files:
	Browse.pm 
Added Files:
	Security.pm 
Log Message:
adding Security class, centralizes standard security checks for user input in SandWeb

--- NEW FILE ---
#lib/SandWeb/Security.pm
#
# This class has methods to handle common perl/cgi security problems.
# 
#  SandWeb (Web-based VCS client)
#
#  Copyright (C) 2002 Nick Jennings
#  Copyright (C) 2002 Robert Helmer
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA
#

package SandWeb::Security;

sub new {
	my $class = shift;
	my $self = bless {}, $class;

	return $self;
}

sub path {
	my $self = shift;
	my %args = @_;

	my $filename = $args{'filename'};

	# Security check, no "/.." or "../" allowed mister!
        
        if ($filename) {
                $filename =~ s:/\.\.::g;
                $filename =~ s:\.\./::g;
        }

        return $filename;
}

sub shell {
	my $self = shift;
	my %args = @_;

	my $characters = $args{'characters'};

	# Security check - escape unsafe characters
        $characters =~ s/([\<\>\\\&;\`\'\|\"*\?\~\^\(\)\[\]\{\}\$])/\\$1/g;

        return $characters;
}

1;

Index: Browse.pm
===================================================================
RCS file: /cvsroot/sandweb/sandweb/lib/SandWeb/Browse.pm,v
retrieving revision 1.78
retrieving revision 1.79
diff -U2 -r1.78 -r1.79
--- Browse.pm	29 Jul 2002 17:41:41 -0000	1.78
+++ Browse.pm	26 Aug 2002 06:59:47 -0000	1.79
@@ -36,4 +36,5 @@
 
 use SandWeb::File;
+use SandWeb::Security;
 
 sub new {
@@ -66,5 +67,13 @@
 	my %args = @_;
 
-	my $location = $args{'location'};
+	my $unsafe_location = $args{'location'};
+
+	# Security check
+        my $secure = SandWeb::Security->new();
+
+        my $location = $secure->path(
+                filename => "$unsafe_location"
+        );
+
 	my $progname = $args{'progname'};
 	my $repo_type = $args{'repo_type'};
@@ -195,5 +204,13 @@
 	my @loop_data;
 
-	my $location = $args{'location'};
+	my $unsafe_location = $args{'location'};
+
+	# Security check
+        my $secure = SandWeb::Security->new();
+
+        my $location = $secure->path(
+                filename => "$unsafe_location"
+        );
+
 	my $progname = $args{'progname'};
 
@@ -224,5 +241,13 @@
 	my %args = @_;
 
-	my $location = $args{'location'};
+	my $unsafe_location = $args{'location'};
+
+	# Security check
+        my $secure = SandWeb::Security->new();
+
+        my $location = $secure->path(
+                filename => "$unsafe_location"
+        );
+
 	my $progname = $args{'progname'};
 
@@ -235,15 +260,5 @@
 	
 	my $count;
-	if ($location eq '/') {
-        	$location = '';
-	}
  
-	if ($location) {
-		# Security check, no "/.." or "../" allowed mister!
-		$location =~ s:/\.\.::g;
-		$location =~ s:\.\./::g;
-	} else {
-		$location = '';
-	}
 	my @location_link;
 	push (@location_link, split( /\//, $location ));



