Skip to content

Commit

Permalink
Item10116: Fix taint error, handle missing .tgz
Browse files Browse the repository at this point in the history 
git-svn-id: http://svn.foswiki.org/branches/Release01x01@10174 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
  • Loading branch information
GeorgeClark authored and GeorgeClark committed Dec 4, 2010
1 parent fb9f808 commit 67f0915
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 7 deletions.
3 changes: 1 addition & 2 deletions core/lib/Foswiki/Configure/Package.pm
View file
Expand Up @@ -371,8 +371,7 @@ sub install {
{ # no extension found - need to download the package
( $err, $tmpfilename ) = $this->_fetchFile('.tgz');
if ($err) {
$this->{_errors} .= "Download failure\n $err";
return ( $feedback, "Download failure\n $err" );
$feedback .= "Download failure fetching .tgz file - $err\n Trying .zip file\n";
}

unless ( $tmpfilename && !$err )
Expand Down
20 changes: 15 additions & 5 deletions core/lib/Foswiki/Configure/Util.pm
View file
Expand Up @@ -411,13 +411,23 @@ sub _unzip {
my @members = $zip->members();
foreach my $member (@members) {
my $file = $member->fileName();
$file =~ /(.*)/;
$file =~ /^(.*)$/;
$file = $1; #yes, we must untaint
my $target = $file;
my $err = $zip->extractMember( $file, $target );
if ($err) {
return "unzip failed: Failed to extract '$file' from zip file ",
$zip, ". Archive may be corrupt.\n";
my $dest = Cwd::getcwd();
($dest) = $dest =~ m/^(.*)$/;

#SMELL: Archive::Zip->extractMember( $file) would be better to use
# but it has taint issues on Perl 5.12.
my $contents = $zip->contents( $file );
if ( $contents) {
my ($vol,$dir,$fn) = File::Spec->splitpath( $file );
File::Path::mkpath( "$dest/$dir" );
open( my $fh, '>', "$dest/$file" )
|| die "Unable to open $dest/$file \n $! \n\n ";
binmode $fh;
print $fh $contents;
close($fh);
}
}
}
Expand Down

0 comments on commit 67f0915

Please sign in to comment.