Update of /cvsroot/sandweb/sandweb/bin
In directory sc8-pr-cvs1:/tmp/cvs-serv10731/bin
Modified Files:
sandweb.cgi
Log Message:
erase alot of unsafe characters, should prevent any security breaches.
Index: sandweb.cgi
===================================================================
RCS file: /cvsroot/sandweb/sandweb/bin/sandweb.cgi,v
retrieving revision 1.345
retrieving revision 1.346
diff -U2 -r1.345 -r1.346
--- sandweb.cgi 3 Feb 2003 20:56:00 -0000 1.345
+++ sandweb.cgi 5 Mar 2003 08:31:02 -0000 1.346
@@ -40,5 +40,5 @@
uses SandWeb, SandWeb::Repository, SandWeb::Browse, SandWeb::File,
- SandWeb::Config, Data::Dumpber, CGI::Carp, CGI
+ SandWeb::Config, Data::Dumpber, CGI::Carp, CGI, SandWeb::Security
=cut
@@ -51,4 +51,5 @@
use SandWeb::File;
use SandWeb::Config;
+use SandWeb::Security;
# Debugging
@@ -188,16 +189,47 @@
# has valid auth cookie
my $repository_selected = $cgi->param('repository_selected') || '';
- my $repo_name = $cgi->param('repo_name') || '';
- my $repo_server = $cgi->param('repo_server') || '';
- my $repo_username = $cgi->param('repo_username') || '';
- my $repo_password = $cgi->param('repo_password') || '';
- my $remember_repo_password = $cgi->param('remember_repo_password') || '';
- my $repo_type = $cgi->param('repo_type') || '';
- my $repo_connection = $cgi->param('repo_connection') || '';
- my $repo_root = $cgi->param('repo_root') || '';
+
+ # Create an object to secure user input for shell use
+ my $secure = SandWeb::Security->new();
+
+ my $unsafe_repo_name = $cgi->param('repo_name') || '';
+ my $repo_name = $secure->shell(
+ characters => "$unsafe_repo_name",
+ );
+ my $unsafe_repo_server = $cgi->param('repo_server') || '';
+ my $repo_server = $secure->shell(
+ characters => "$unsafe_repo_server",
+ );
+ my $unsafe_repo_username = $cgi->param('repo_username') || '';
+ my $repo_username = $secure->shell(
+ characters => "$unsafe_repo_username",
+ );
+ my $unsafe_repo_password = $cgi->param('repo_password') || '';
+ my $repo_password = $secure->shell(
+ characters => "$unsafe_repo_password",
+ );
+ my $unsafe_remember_repo_password = $cgi->param('remember_repo_password') || '';
+ my $remember_repo_password = $secure->shell(
+ characters => "$unsafe_remember_repo_password",
+ );
+ my $unsafe_repo_type = $cgi->param('repo_type') || '';
+ my $repo_type = $secure->shell(
+ characters => "$unsafe_repo_type",
+ );
+ my $unsafe_repo_connection = $cgi->param('repo_connection') || '';
+ my $repo_connection = $secure->shell(
+ characters => "$unsafe_repo_connection",
+ );
+ my $unsafe_repo_root = $cgi->param('repo_root') || '';
+ my $repo_root = $secure->shell(
+ characters => "$unsafe_repo_root",
+ );
my $new_repository = $cgi->param('new_repository') || '';
my $submit = $cgi->param('Submit') || '';
my $vcs_command = $cgi->param('vcs_command') || '';
- my $module_name = $cgi->param('module_name') || '';
+ my $unsafe_module_name = $cgi->param('module_name') || '';
+ my $module_name = $secure->shell(
+ characters => "$unsafe_module_name",
+ );
my $module_description = $cgi->param('module_description') || '';
my $location = $cgi->param('location') || '';
|
