Update of /cvsroot/sandweb/sandweb/lib/SandWeb
In directory sc8-pr-cvs1:/tmp/cvs-serv6501/lib/SandWeb
Modified Files:
Security.pm
Log Message:
added some much-needed security -
now Security->shell() just erases unsafe characters, and tag complains
if you don't enter a tag name.
It's possible for the user to enter an invalid tag name ( e.g. begins
with a number or - or _ ) but they shouldn't be able to make arbitrary
calls to the shell.
Index: Security.pm
===================================================================
RCS file: /cvsroot/sandweb/sandweb/lib/SandWeb/Security.pm,v
retrieving revision 1.5
retrieving revision 1.6
diff -U2 -r1.5 -r1.6
--- Security.pm 11 Feb 2003 06:37:23 -0000 1.5
+++ Security.pm 5 Mar 2003 08:19:56 -0000 1.6
@@ -181,9 +181,6 @@
my $characters = $args{'characters'};
- # Security check - erase forbidden characters
- $characters =~ s/\"//g;
-
- # Security check - escape unsafe characters
- $characters =~ s/([\<\>\\\&;\`\'\|\"*\?\~\^\(\)\[\]\{\}\$])/\\$1/g;
+ # Security check - erase unsafe characters
+ $characters =~ s/([\`\~\!\@\#\$\%\^\&\*\(\)\=\+\[\{\]\}\;\:\'\"\\<\>\/\?\\\|])//g;
return $characters;
|
