Item15192: fixed $EVAL()

also: restrict view access to SpreadSheetPlugin topic to registered users only

SpreadSheetPlugin/data/System/SpreadSheetPlugin.txt

@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1655468868" format="1.1" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1684321623" format="1.1" version="1"}%
 %META:TOPICPARENT{name="Plugins"}%
 ---+!! Foswiki Spreadsheet Plugin
 %FORMFIELD{"Description"}%
@@ -594,7 +594,7 @@ This function has two modes of operation.
    * Related: =[[#FuncLIST][$LIST()]]=, =[[#FuncMAX][$MAX()]]=, =[[#FuncMEDIAN][$MEDIAN()]]=, =[[#FuncPERCENTILE][$PERCENTILE()]]=
 
 #FuncMOD
----+++ MOD( num, divisor ) -- reminder after dividing ==num== by ==divisor==
+---+++ MOD( num, divisor ) -- residual amount after dividing ==num== by ==divisor==
    * Syntax: ==$MOD( num, divisor )==
    * Example: ==%<nop>CALC{"$MOD(7, 3)"}%== returns ==1==
    * Related: =[[#FuncEVAL][$EVAL()]]=
@@ -1003,6 +1003,7 @@ Note that the =DONTSPACE= global preference overrides the =SPREADSHEETPLUGIN_DON
 
 ---++ Change History
 %TABLE{columnwidths="7em" tablewidth="100%"}%
+|  17 May 2023: (1.25) | Foswikitask:Item15192: fixed EVAL feature exposes infromation about paths and files on the server |
 |  19 Jul 2018: (1.24) | Foswikitask:Item14741: EVAL(0) should return 0 not the empty string |
 |  20 Jan 2017: (1.23) | Released with Foswiki 2.1.3<br />\
                          Foswikitask:Item13892: Clarify documentation on CALC vs. CALCULATE |
@@ -1093,3 +1094,6 @@ Note that the =DONTSPACE= global preference overrides the =SPREADSHEETPLUGIN_DON
 %META:FIELD{name="Repository" title="Repository" value="https://github.com/foswiki/distro"}%
 %META:FIELD{name="Support" title="Support" value="http://foswiki.org/Support/%$ROOTMODULE%"}%
 %META:FIELD{name="Version" title="Version" value="%$VERSION%"}%
+%META:PREFERENCE{name="ALLOWTOPICVIEW" title="ALLOWTOPICVIEW" type="Set" value="*"}%
+%META:PREFERENCE{name="DENYTOPICVIEW" title="DENYTOPICVIEW" type="Set" value="WikiGuest"}%
+%META:PREFERENCE{name="PERMSET_VIEW" title="PERMSET_VIEW" type="Local" value="registeredusers"}%

SpreadSheetPlugin/lib/Foswiki/Plugins/SpreadSheetPlugin.pm

@@ -12,8 +12,8 @@ use vars qw(
   $web $topic $user $installWeb $debug $skipInclude $doneInit
 );
 
-our $VERSION           = '1.24';
-our $RELEASE           = '19 Jul 2018';
+our $VERSION           = '1.25';
+our $RELEASE           = '17 May 2023';
 our $NO_PREFS_IN_TOPIC = 1;
 our $SHORTDESCRIPTION =
 'Add spreadsheet calculations like "$SUM($ABOVE())" to Foswiki tables and other topic text';

SpreadSheetPlugin/lib/Foswiki/Plugins/SpreadSheetPlugin/Calc.pm

@@ -1728,6 +1728,10 @@ sub _safeEvalPerl {
     $theText =~ s/\%\s*[^\-\+\*\/0-9\.\(\)]+//g; # defuse %hash but keep modulus
       # keep only numbers and operators (shh... don't tell anyone, we support comparison operators)
     $theText =~ s/[^\!\<\=\>\-\+\*\/\%0-9e\.\(\)]*//g;
+
+    # disable glob for security reasons
+    $theText =~ s/^(\s*)\<+/$1/g;
+    $theText =~ s/\>+(\s*)$/$1/g;
     $theText =~ s/(^|[^\.])\b0+(?=[0-9])/$1/g
       ;    # remove leading 0s to defuse interpretation of numbers as octals
     $theText =~

SpreadSheetPlugin/test/unit/SpreadSheetPlugin/SpreadSheetPluginTests.pm

@@ -434,6 +434,14 @@ sub test_EVAL {
     $this->assert( $this->CALC('$EVAL(0)') eq '0' );
 }
 
+sub test_EVAL_GLOB {
+    my ($this) = @_;
+
+    $this->assert( $this->CALC('$EVAL(<*>)')               =~ /^ERROR:/ );
+    $this->assert( $this->CALC('$EVAL(< * >)')             =~ /^ERROR:/ );
+    $this->assert( $this->CALC('$EVAL(<../../../ee*/* >)') =~ /^ERROR:/ );
+}
+
 sub test_EVEN {
     my ($this) = @_;
     $this->assert( $this->CALC('$EVEN(2)') == 1 );