Item9419: Taint issue related to $web fatal with asserts on

ucfirst taints data At least in old perls. Always untaint if you use ucfirst git-svn-id: http://svn.foswiki.org/trunk@8381 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
foswiki · Jul 31, 2010 · 8dfe129 · 8dfe129
1 parent 5357acf
commit 8dfe129
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/core/lib/Foswiki/Templates.pm b/core/lib/Foswiki/Templates.pm
@@ -416,7 +416,8 @@ sub _readTemplateFile {
 
                 # Could also use $Skin, $Web, $Name to indicate uppercase
                 $userdir  = 1;
-                $skin     = ucfirst($skin);
+                # Again untainting when using ucfirst
+                $skin     = Foswiki::Sandbox::untaintUnchecked( ucfirst($skin) );
                 $webName  = $userdirweb;
                 $tmplName = $userdirname;
             }