[TWiki-Dev] [SVN] SopanShewale r17742 - twiki/branches/TWikiRelease04x02/lib/TWiki

[<de...@de...>]

Author: SopanShewale
Date: 2008-12-01 07:28:54 -0600 (Mon, 01 Dec 2008)
New Revision: 17742
Trac url: http://develop.twiki.org/trac/changeset/17742

Modified:
   twiki/branches/TWikiRelease04x02/lib/TWiki/Time.pm
Log:
Item6136: User input is passed to the perl eval command without first being sanitized, Thanks CrawfordCurrie for this patch through email list

Modified: twiki/branches/TWikiRelease04x02/lib/TWiki/Time.pm
===================================================================
--- twiki/branches/TWikiRelease04x02/lib/TWiki/Time.pm	2008-12-01 13:27:49 UTC (rev 17741)
+++ twiki/branches/TWikiRelease04x02/lib/TWiki/Time.pm	2008-12-01 13:28:54 UTC (rev 17742)
@@ -431,13 +431,16 @@
         $ends[$i] =~ s/S/\*1\+/gi;
         #   possibly append '0' and evaluate numerically the string.  
         $ends[$i] =~ s/\+$/+0/;
-        my $duration = eval($ends[$i]);
+        $ends[$i] =~ s#[^-\d+*/]##g;
+        my $duration = eval( $ends[$i] );
         #   the value computed, if it specifies the starting point
         #   in time, must be subtracted from the previously
         #   computed ending point.  if it specifies the ending
         #   point, it must be added to the previously computed
         #   starting point.
-        $ends[$i] = eval($ends[1-$i].$oper[$i].$ends[$i]);
+        my $expr = "$ends[1-$i]$oper[$i]($ends[$i])";
+        $expr =~ s#[^-\d+*/()]##g;
+        $ends[$i] = eval( $expr );
         # SMELL: if the user specified both start and end as a
         # time duration, some kind of error must be reported.
     }