[Sandweb-commit] CVS: sandweb/bin sandweb.cgi,1.345,1.346

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/sandweb/sandweb/bin
In directory sc8-pr-cvs1:/tmp/cvs-serv10731/bin

Modified Files:
	sandweb.cgi 
Log Message:
erase alot of unsafe characters, should prevent any security breaches.


Index: sandweb.cgi
===================================================================
RCS file: /cvsroot/sandweb/sandweb/bin/sandweb.cgi,v
retrieving revision 1.345
retrieving revision 1.346
diff -U2 -r1.345 -r1.346

--- sandweb.cgi	3 Feb 2003 20:56:00 -0000	1.345
+++ sandweb.cgi	5 Mar 2003 08:31:02 -0000	1.346
@@ -40,5 +40,5 @@
 
 uses SandWeb, SandWeb::Repository, SandWeb::Browse, SandWeb::File,
-     SandWeb::Config, Data::Dumpber, CGI::Carp, CGI
+     SandWeb::Config, Data::Dumpber, CGI::Carp, CGI, SandWeb::Security
 
 =cut
@@ -51,4 +51,5 @@
 use SandWeb::File;
 use SandWeb::Config;
+use SandWeb::Security;
 
 # Debugging
@@ -188,16 +189,47 @@
 		# has valid auth cookie
 		my $repository_selected = $cgi->param('repository_selected') || '';
-		my $repo_name = $cgi->param('repo_name') || '';
-		my $repo_server = $cgi->param('repo_server') || '';
-		my $repo_username = $cgi->param('repo_username') || '';
-		my $repo_password = $cgi->param('repo_password') || '';
-		my $remember_repo_password = $cgi->param('remember_repo_password') || '';
-		my $repo_type = $cgi->param('repo_type') || '';
-		my $repo_connection = $cgi->param('repo_connection') || '';
-		my $repo_root = $cgi->param('repo_root') || '';
+
+		# Create an object to secure user input for shell use
+		my $secure = SandWeb::Security->new();
+
+		my $unsafe_repo_name = $cgi->param('repo_name') || '';
+		my $repo_name = $secure->shell(
+			characters => "$unsafe_repo_name",
+		);
+		my $unsafe_repo_server = $cgi->param('repo_server') || '';
+		my $repo_server = $secure->shell(
+			characters => "$unsafe_repo_server",
+		);
+		my $unsafe_repo_username = $cgi->param('repo_username') || '';
+		my $repo_username = $secure->shell(
+			characters => "$unsafe_repo_username",
+		);
+		my $unsafe_repo_password = $cgi->param('repo_password') || '';
+		my $repo_password = $secure->shell(
+			characters => "$unsafe_repo_password",
+		);
+		my $unsafe_remember_repo_password = $cgi->param('remember_repo_password') || '';
+		my $remember_repo_password = $secure->shell(
+			characters => "$unsafe_remember_repo_password",
+		);
+		my $unsafe_repo_type = $cgi->param('repo_type') || '';
+		my $repo_type = $secure->shell(
+			characters => "$unsafe_repo_type",
+		);
+		my $unsafe_repo_connection = $cgi->param('repo_connection') || '';
+		my $repo_connection = $secure->shell(
+			characters => "$unsafe_repo_connection",
+		);
+		my $unsafe_repo_root = $cgi->param('repo_root') || '';
+		my $repo_root = $secure->shell(
+			characters => "$unsafe_repo_root",
+		);
 		my $new_repository = $cgi->param('new_repository') || '';
 		my $submit = $cgi->param('Submit') || '';
 		my $vcs_command = $cgi->param('vcs_command') || '';
-		my $module_name = $cgi->param('module_name') || '';
+		my $unsafe_module_name = $cgi->param('module_name') || '';
+		my $module_name = $secure->shell(
+			characters => "$unsafe_module_name",
+		);
 		my $module_description = $cgi->param('module_description') || '';
 		my $location = $cgi->param('location') || '';



