Item13222: fix untaint for undef values; plus a pending improvement f…

…or the tracing in ScriptHash
foswiki · Jan 20, 2015 · 400d288 · 400d288
1 parent cfc00b8
commit 400d288
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 9 deletions.
diff --git a/core/lib/Foswiki/Configure/Query.pm b/core/lib/Foswiki/Configure/Query.pm
@@ -41,8 +41,8 @@ sub _getSetParams {
     my ( $params, $root, $reporter ) = @_;
     if ( $params->{set} ) {
         while ( my ( $k, $v ) = each %{ $params->{set} } ) {
-            ($v) = $v =~ m/^(.*)$/s;    # UNTAINT
             if ( defined $v ) {
+                ($v) = $v =~ m/^(.*)$/s;    # UNTAINT
                 my $spec  = $root->getValueObject($k);
                 my $value = $v;
                 if ($spec) {

diff --git a/core/lib/Foswiki/Configure/Wizards/Save.pm b/core/lib/Foswiki/Configure/Wizards/Save.pm
@@ -229,10 +229,10 @@ sub save {
     # Get changes from 'set' *without* expanding values.
     if ( $this->param('set') ) {
         while ( my ( $k, $v ) = each %{ $this->param('set') } ) {
-            $v =~ m/^(.*)$/s;
-            $v = $1;    # untaint
             my $spec = $root->getValueObject($k);
             if ( defined $v ) {
+                $v =~ m/^(.*)$/s;
+                $v = $1;                      # untaint
                 $spec->{saving_value} = $v;
                 if ($spec) {
                     eval { $v = $spec->decodeValue($v) };

diff --git a/core/lib/Foswiki/Configure/Wizards/ScriptHash.pm b/core/lib/Foswiki/Configure/Wizards/ScriptHash.pm
@@ -76,7 +76,13 @@ sub verify {
       . "/$script"
       . ( $Foswiki::cfg{ScriptSuffix} || '' );
 
-    $reporter->NOTE("Tracing access to =$url=");
+    my $target = $Foswiki::cfg{ScriptUrlPaths}{$script};
+    unless ( defined $target ) {
+        $target = "$Foswiki::cfg{ScriptUrlPath}/$script"
+          . ( $Foswiki::cfg{ScriptSuffix} || '' );
+    }
+
+    $reporter->NOTE("Tracing access to =$url=, $keys = '$target'");
 
     my $try     = 10;
     my %headers = (
@@ -131,11 +137,6 @@ sub verify {
             last;
         }
 
-        my $target = $Foswiki::cfg{ScriptUrlPaths}{$script};
-        unless ( defined $target ) {
-            $target = "$Foswiki::cfg{ScriptUrlPath}/$script"
-              . ( $Foswiki::cfg{ScriptSuffix} || '' );
-        }
         my $ptarget = ($target) ? $target : 'empty';
 
         if ( $script eq 'view' ) {