diff --git a/SpreadSheetPlugin/data/System/SpreadSheetPlugin.txt b/SpreadSheetPlugin/data/System/SpreadSheetPlugin.txt index b321915207..b1efce7847 100755 --- a/SpreadSheetPlugin/data/System/SpreadSheetPlugin.txt +++ b/SpreadSheetPlugin/data/System/SpreadSheetPlugin.txt @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="ProjectContributor" date="1655468868" format="1.1" version="1"}% +%META:TOPICINFO{author="ProjectContributor" date="1684321623" format="1.1" version="1"}% %META:TOPICPARENT{name="Plugins"}% ---+!! Foswiki Spreadsheet Plugin %FORMFIELD{"Description"}% @@ -594,7 +594,7 @@ This function has two modes of operation. * Related: =[[#FuncLIST][$LIST()]]=, =[[#FuncMAX][$MAX()]]=, =[[#FuncMEDIAN][$MEDIAN()]]=, =[[#FuncPERCENTILE][$PERCENTILE()]]= #FuncMOD ----+++ MOD( num, divisor ) -- reminder after dividing ==num== by ==divisor== +---+++ MOD( num, divisor ) -- residual amount after dividing ==num== by ==divisor== * Syntax: ==$MOD( num, divisor )== * Example: ==%CALC{"$MOD(7, 3)"}%== returns ==1== * Related: =[[#FuncEVAL][$EVAL()]]= @@ -1003,6 +1003,7 @@ Note that the =DONTSPACE= global preference overrides the =SPREADSHEETPLUGIN_DON ---++ Change History %TABLE{columnwidths="7em" tablewidth="100%"}% +| 17 May 2023: (1.25) | Foswikitask:Item15192: fixed EVAL feature exposes infromation about paths and files on the server | | 19 Jul 2018: (1.24) | Foswikitask:Item14741: EVAL(0) should return 0 not the empty string | | 20 Jan 2017: (1.23) | Released with Foswiki 2.1.3
\ Foswikitask:Item13892: Clarify documentation on CALC vs. CALCULATE | @@ -1093,3 +1094,6 @@ Note that the =DONTSPACE= global preference overrides the =SPREADSHEETPLUGIN_DON %META:FIELD{name="Repository" title="Repository" value="https://github.com/foswiki/distro"}% %META:FIELD{name="Support" title="Support" value="http://foswiki.org/Support/%$ROOTMODULE%"}% %META:FIELD{name="Version" title="Version" value="%$VERSION%"}% +%META:PREFERENCE{name="ALLOWTOPICVIEW" title="ALLOWTOPICVIEW" type="Set" value="*"}% +%META:PREFERENCE{name="DENYTOPICVIEW" title="DENYTOPICVIEW" type="Set" value="WikiGuest"}% +%META:PREFERENCE{name="PERMSET_VIEW" title="PERMSET_VIEW" type="Local" value="registeredusers"}% diff --git a/SpreadSheetPlugin/lib/Foswiki/Plugins/SpreadSheetPlugin.pm b/SpreadSheetPlugin/lib/Foswiki/Plugins/SpreadSheetPlugin.pm index f6cb4c6d90..3fd7a17fe2 100755 --- a/SpreadSheetPlugin/lib/Foswiki/Plugins/SpreadSheetPlugin.pm +++ b/SpreadSheetPlugin/lib/Foswiki/Plugins/SpreadSheetPlugin.pm @@ -12,8 +12,8 @@ use vars qw( $web $topic $user $installWeb $debug $skipInclude $doneInit ); -our $VERSION = '1.24'; -our $RELEASE = '19 Jul 2018'; +our $VERSION = '1.25'; +our $RELEASE = '17 May 2023'; our $NO_PREFS_IN_TOPIC = 1; our $SHORTDESCRIPTION = 'Add spreadsheet calculations like "$SUM($ABOVE())" to Foswiki tables and other topic text'; diff --git a/SpreadSheetPlugin/lib/Foswiki/Plugins/SpreadSheetPlugin/Calc.pm b/SpreadSheetPlugin/lib/Foswiki/Plugins/SpreadSheetPlugin/Calc.pm index 901e0176ef..bd651dc028 100644 --- a/SpreadSheetPlugin/lib/Foswiki/Plugins/SpreadSheetPlugin/Calc.pm +++ b/SpreadSheetPlugin/lib/Foswiki/Plugins/SpreadSheetPlugin/Calc.pm @@ -1728,6 +1728,10 @@ sub _safeEvalPerl { $theText =~ s/\%\s*[^\-\+\*\/0-9\.\(\)]+//g; # defuse %hash but keep modulus # keep only numbers and operators (shh... don't tell anyone, we support comparison operators) $theText =~ s/[^\!\<\=\>\-\+\*\/\%0-9e\.\(\)]*//g; + + # disable glob for security reasons + $theText =~ s/^(\s*)\<+/$1/g; + $theText =~ s/\>+(\s*)$/$1/g; $theText =~ s/(^|[^\.])\b0+(?=[0-9])/$1/g ; # remove leading 0s to defuse interpretation of numbers as octals $theText =~ diff --git a/SpreadSheetPlugin/test/unit/SpreadSheetPlugin/SpreadSheetPluginTests.pm b/SpreadSheetPlugin/test/unit/SpreadSheetPlugin/SpreadSheetPluginTests.pm index 93a3c269c8..a2d280e41c 100755 --- a/SpreadSheetPlugin/test/unit/SpreadSheetPlugin/SpreadSheetPluginTests.pm +++ b/SpreadSheetPlugin/test/unit/SpreadSheetPlugin/SpreadSheetPluginTests.pm @@ -434,6 +434,14 @@ sub test_EVAL { $this->assert( $this->CALC('$EVAL(0)') eq '0' ); } +sub test_EVAL_GLOB { + my ($this) = @_; + + $this->assert( $this->CALC('$EVAL(<*>)') =~ /^ERROR:/ ); + $this->assert( $this->CALC('$EVAL(< * >)') =~ /^ERROR:/ ); + $this->assert( $this->CALC('$EVAL(<../../../ee*/* >)') =~ /^ERROR:/ ); +} + sub test_EVEN { my ($this) = @_; $this->assert( $this->CALC('$EVEN(2)') == 1 );