marc 99/10/08 16:40:06
Modified: . bugdb.cgi Log: Ensure that we validate all input from the user before we pass it to any command lines. If it doesn't look safe, die. This list may be too restrictive in certain cases, but if so it can be dealt with. Revision Changes Path 1.44 +15 -1 apache-site/bugdb.cgi Index: bugdb.cgi =================================================================== RCS file: /export/home/cvs/apache-site/bugdb.cgi,v retrieving revision 1.43 retrieving revision 1.44 diff -u -r1.43 -r1.44 --- bugdb.cgi 1999/10/08 17:33:11 1.43 +++ bugdb.cgi 1999/10/08 23:40:06 1.44 @@ -1,9 +1,10 @@ -#!/usr/local/bin/perl +#!/usr/local/bin/perl -T # wwwgnats.pl - a WWW interface to the GNATS bug tracking system # Thanks to Larry Wall, CERN, and NCSA for Perl, WWW, and Mosaic! require "/usr/local/lib/gnats/libgnats.pl"; use POSIX; +$ENV{PATH}="/bin:/usr/bin:/usr/local/bin"; #### Configuration begins here @@ -369,6 +370,15 @@ return $str; } +sub check_unsafe +{ + local($str) = $_[0]; + unless($str =~ /[EMAIL PROTECTED] ]+$/) { + print "<FONT COLOR=\"red\">INVALID INPUT: $str</FONT>\n"; + die("$0: invalid character (breakin attempt?) in \"$str\""); + } +} + # Make text safe to display in an HTML stream sub html_escape { @@ -1223,6 +1233,7 @@ $oldval = "nobody|^\$"; } # Convert this key into a query-pr option + &check_unsafe($oldval); $opts = " --originator=\"$oldval\""; # The originator cares about bugs which are in feedback state. $opts .= " --state=\"feedback\""; @@ -1242,6 +1253,7 @@ } if ($nickname ne "") { # Convert this key into a query-pr option + &check_unsafe($nickname); $opts = " --responsible=\"$nickname\""; # Responsible person cares about bugs which are open or analyzed. $opts .= " --state=\"open|analyzed\""; @@ -1267,6 +1279,8 @@ # (Our database sometimes puts underscores instead of spaces). $oldval =~ s/[\s_]/[ _]/g; # Convert this key into a query-pr option + &check_unsafe($oldkey); + &check_unsafe($oldval); $opts .= " --$oldkey=\"$oldval\""; } }