Skip to content
Permalink
Browse files

Item9041: ensuree web and topic name are untainted before manipulatin…

…g them

git-svn-id: http://svn.foswiki.org/trunk@8183 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
  • Loading branch information...
CrawfordCurrie CrawfordCurrie
CrawfordCurrie authored and CrawfordCurrie committed Jul 15, 2010
1 parent bcfd9d3 commit 051d3c96046572a24e880bd24b43e7c769b9eda2
@@ -73,30 +73,36 @@ sub earlyInitPlugin {

sub _patchWebTopic {

# my ($web, $topic) = @_;
# don't uncomment, use $_[0] etc
if ( ( $_[0] eq 'TWiki' )
&& ( !Foswiki::Func::topicExists( $_[0], $_[1] ) ) )
my ($web, $topic) = @_;

return unless Foswiki::Func::isValidWebName($web);
$web = Foswiki::Sandbox::untaintUnchecked($web);

return unless Foswiki::Func::isValidTopicName($topic);
$topic = Foswiki::Sandbox::untaintUnchecked($topic);

if ( ( $web eq 'TWiki' )
&& ( !Foswiki::Func::topicExists( $web, $topic ) ) )
{
my $TWikiWebTopicNameConversion =
$Foswiki::cfg{Plugins}{TWikiCompatibilityPlugin}
{TWikiWebTopicNameConversion};
$_[0] = $Foswiki::cfg{SystemWebName};
if ( defined( $TWikiWebTopicNameConversion->{ $_[1] } ) ) {
$_[1] = $TWikiWebTopicNameConversion->{ $_[1] };
if ( defined( $TWikiWebTopicNameConversion->{ $topic } ) ) {
$_[1] = $TWikiWebTopicNameConversion->{ $topic };

#print STDERR "converted to $_[1]";
#print STDERR "converted to $topic";
}
}
my $MainWebTopicNameConversion =
$Foswiki::cfg{Plugins}{TWikiCompatibilityPlugin}
{MainWebTopicNameConversion};
if ( ( $_[0] eq 'Main' )
&& ( defined( $MainWebTopicNameConversion->{ $_[1] } ) ) )
if ( ( $web eq 'Main' )
&& ( defined( $MainWebTopicNameConversion->{ $topic } ) ) )
{
$_[1] = $MainWebTopicNameConversion->{ $_[1] };
$_[1] = $MainWebTopicNameConversion->{ $topic };

#print STDERR "converted to $_[1]";
#print STDERR "converted to $topic";
}
}

@@ -15,7 +15,10 @@ sub new {
}

sub untaintUnchecked { Foswiki::Sandbox::untaintUnchecked(@_) }
sub normalizeFileName { Foswiki::Sandbox::normalizeFileName(@_) }
sub normalizeFileName {
Foswiki::Sandbox::untaint(
shift, \&Foswiki::Sandbox::validateAttachmentName);
}
sub sanitizeAttachmentName { Foswiki::Sandbox::sanitizeAttachmentName(@_) }
sub sysCommand { return Foswiki::Sandbox::sysCommand(@_) }

0 comments on commit 051d3c9

Please sign in to comment.
You can’t perform that action at this time.