Update of /cvsroot/sandweb/sandweb/lib/SandWeb/Repository
In directory sc8-pr-cvs1:/tmp/cvs-serv6501/lib/SandWeb/Repository
Modified Files:
cvs.pm
Log Message:
added some much-needed security -
now Security->shell() just erases unsafe characters, and tag complains
if you don't enter a tag name.
It's possible for the user to enter an invalid tag name ( e.g. begins
with a number or - or _ ) but they shouldn't be able to make arbitrary
calls to the shell.
Index: cvs.pm
===================================================================
RCS file: /cvsroot/sandweb/sandweb/lib/SandWeb/Repository/cvs.pm,v
retrieving revision 1.43
retrieving revision 1.44
diff -U2 -r1.43 -r1.44
--- cvs.pm 4 Mar 2003 07:19:45 -0000 1.43
+++ cvs.pm 5 Mar 2003 08:19:56 -0000 1.44
@@ -2113,5 +2113,16 @@
if ($force) { push @param, " -f" };
if ($check) { push @param, " -c" };
- if ($name) { push @param, " \\\"$name\\\"" };
+ if ($name) {
+ push @param, " $name"
+ } else {
+ # we must have a tag name, return an error if we don't
+
+ my %return = (
+ output => "",
+ error => "No tag name was specified.",
+ );
+
+ return %return;
+ }
$log->debug("Performing tag operation");
|
