Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

Commit

Permalink
Browse files Browse the repository at this point in the history
MiniVend 4.04a
  • Loading branch information
perusionmike authored and jonjensen committed Jan 2, 2009
1 parent f190872 commit b806f74
Show file tree
Hide file tree
Showing 7 changed files with 36 additions and 16 deletions.
1 change: 0 additions & 1 deletion MANIFEST
Expand Up @@ -322,7 +322,6 @@ dist/simple/pages/special/feedback.html
dist/simple/pages/special/needfield.html
dist/simple/pages/splash.html
dist/simple/pages/srchform.html
dist/simple/pages/view_page.html
dist/simple/pgsql/area.pgsql
dist/simple/pgsql/cat.pgsql
dist/simple/pgsql/country.pgsql
Expand Down
2 changes: 1 addition & 1 deletion Makefile.PL
Expand Up @@ -27,7 +27,7 @@ my $Prompt_sub;
my @mods_to_get;
my $Lock_troubles;

$VERSION = '4.04';
$VERSION = '4.04a';

# See if we have the CPAN module
my $Cpan = 0;
Expand Down
11 changes: 11 additions & 0 deletions WHATSNEW
@@ -1,3 +1,14 @@
Minivend-4.04a changes:
* Util.pm: Added test for existence of file before opening. Thanks to
Alexander Lazic.
* Util.pm: Added test for existence of file before opening. Thanks to
Lluis Mora.
* Scan.pm: Added _dir_security routine for preventing problems in mv_base_directory.
Thanks again to Lluis Mora.
* bin/minivend: Added check routine for session_id preventing security problems
in retire_id routine. Also tightened retire_id itself. Thanks yet again
to Lluis Mora!

Minivend-4.04 changes:
* Demo: Fixed COLSPAN=0 in logo bars -- it was killing Gecko rendering.
* Demo: fixed email password function
Expand Down
11 changes: 0 additions & 11 deletions dist/simple/pages/view_page.html

This file was deleted.

7 changes: 6 additions & 1 deletion lib/Vend/Scan.pm
Expand Up @@ -213,7 +213,7 @@ my %Parse = (
find_search_params($ref, $p);
return $val;
},
#base_directory => \&_file_security_scalar,
base_directory => \&_dir_security_scalar,
mv_field_file => \&_file_security_scalar,
mv_search_file => \&_file_security,

Expand Down Expand Up @@ -890,6 +890,11 @@ sub _file_security_scalar {
return $result->[0];
}

sub _dir_security_scalar {
return undef if ! -d $_->[0];
return $_->[0];
}

sub _scalar_or_array {
my(@fields) = split /\s*[,\0]\s*/, $_[1], -1;
my $arg;
Expand Down
3 changes: 2 additions & 1 deletion lib/Vend/Util.pm
Expand Up @@ -450,7 +450,7 @@ sub uneval_it_file {
sub eval_it_file {
my ($fn) = @_;
local($/) = undef;
open(UNEV, $fn) or return undef;
open(UNEV, "< $fn") or return undef;
my $ref = evalr(<UNEV>);
close UNEV;
return $ref;
Expand Down Expand Up @@ -807,6 +807,7 @@ sub readfile {
return undef;
}

return undef if ! -f $file;
return undef if ! open(READIN, $file);

binmode(READIN) if $Global::Windows;
Expand Down
17 changes: 16 additions & 1 deletion scripts/minivend.PL
Expand Up @@ -124,7 +124,7 @@ use vars qw($VERSION);
require Exporter;
BEGIN {
$VERSION = '4.04';
$VERSION = '4.04a';
}
Expand Down Expand Up @@ -1033,6 +1033,7 @@ sub is_retired {
sub retire_id {
my $id = shift;
return unless $id =~ /^\w+$/;
mkdir "$Vend::Cfg->{ScratchDir}/retired", 0777
unless -d "$Vend::Cfg->{ScratchDir}/retired";
my $fn = Vend::Util::get_filename($id, 2, 1, "$Vend::Cfg->{ScratchDir}/retired");
Expand Down Expand Up @@ -1322,6 +1323,20 @@ EOF
$sessionid = generate_key($CGI::remote_addr . $CGI::useragent);
}
}
elsif ($sessionid !~ /^\w+$/) {
my $msg = get_locale_message(
403,
"Unauthorized for that session %s. Logged.",
$sessionid,
);
$Vend::StatusLine = <<EOF;
Status: 403 Unauthorized
Content-Type: text/plain
EOF
::response($msg);
logGlobal($msg);
return;
}
# DEBUG
#::logDebug ("session='$sessionid' cookie='$CGI::cookie' chost='$CGI::cookiehost'");
Expand Down

0 comments on commit b806f74

Please sign in to comment.