marc 99/10/08 16:40:06
Modified: . bugdb.cgi
Log:
Ensure that we validate all input from the user before we pass it
to any command lines. If it doesn't look safe, die. This list
may be too restrictive in certain cases, but if so it can be dealt
with.
Revision Changes Path
1.44 +15 -1 apache-site/bugdb.cgi
Index: bugdb.cgi
===================================================================
RCS file: /export/home/cvs/apache-site/bugdb.cgi,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -r1.43 -r1.44
--- bugdb.cgi 1999/10/08 17:33:11 1.43
+++ bugdb.cgi 1999/10/08 23:40:06 1.44
@@ -1,9 +1,10 @@
-#!/usr/local/bin/perl
+#!/usr/local/bin/perl -T
# wwwgnats.pl - a WWW interface to the GNATS bug tracking system
# Thanks to Larry Wall, CERN, and NCSA for Perl, WWW, and Mosaic!
require "/usr/local/lib/gnats/libgnats.pl";
use POSIX;
+$ENV{PATH}="/bin:/usr/bin:/usr/local/bin";
#### Configuration begins here
@@ -369,6 +370,15 @@
return $str;
}
+sub check_unsafe
+{
+ local($str) = $_[0];
+ unless($str =~ /[EMAIL PROTECTED] ]+$/) {
+ print "<FONT COLOR=\"red\">INVALID INPUT: $str</FONT>\n";
+ die("$0: invalid character (breakin attempt?) in \"$str\"");
+ }
+}
+
# Make text safe to display in an HTML stream
sub html_escape
{
@@ -1223,6 +1233,7 @@
$oldval = "nobody|^\$";
}
# Convert this key into a query-pr option
+ &check_unsafe($oldval);
$opts = " --originator=\"$oldval\"";
# The originator cares about bugs which are in feedback state.
$opts .= " --state=\"feedback\"";
@@ -1242,6 +1253,7 @@
}
if ($nickname ne "") {
# Convert this key into a query-pr option
+ &check_unsafe($nickname);
$opts = " --responsible=\"$nickname\"";
# Responsible person cares about bugs which are open or analyzed.
$opts .= " --state=\"open|analyzed\"";
@@ -1267,6 +1279,8 @@
# (Our database sometimes puts underscores instead of spaces).
$oldval =~ s/[\s_]/[ _]/g;
# Convert this key into a query-pr option
+ &check_unsafe($oldkey);
+ &check_unsafe($oldval);
$opts .= " --$oldkey=\"$oldval\"";
}
}
