Permalink
Browse files

Item14014: Use NameFilter to sanitize templates

  • Loading branch information...
1 parent b566806 commit e49ed4bfbb86cd22a19ef797fe22d18e61dc377a @gac410 gac410 committed Mar 9, 2016
@@ -84,7 +84,7 @@ sub initPlugin {
$tryname =~ s/[^A-Za-z0-9_,.\/]//g;
}
else {
- $tryname =~ s/$Foswiki::regex{filenameInvalidCharRegex}//g;
+ $tryname =~ s/$Foswiki::regex{webTopicInvalidCharRegex}//g;
}
if ( $tryname ne $templateName ) {
@@ -140,8 +140,7 @@ sub test_filterTopicName {
my $expecthex =
'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f "#$%&\'*:;<>?@[\]^`|~';
$this->assert_str_equals( $expecthex, $hex,
-"Expected: ($expecthex)\n Got: ($hex)\nHas {AttachmentNameFilter} changed?"
- );
+ "Expected: ($expecthex)\n Got: ($hex)\nHas {NameFilter} changed?" );
$this->assert_num_equals( 53, length($crap) );
return;
View
@@ -568,6 +568,7 @@ qr(AERO|ARPA|ASIA|BIZ|CAT|COM|COOP|EDU|GOV|INFO|INT|JOBS|MIL|MOBI|MUSEUM|NAME|NE
# See RobustnessTests::test_sanitizeAttachmentName
#
# Actually, this is used in GenPDFPrincePlugin; let's copy NameFilter
+ $regex{webTopicInvalidCharRegex} = qr/$Foswiki::cfg{NameFilter}/;
$regex{filenameInvalidCharRegex} = qr/$Foswiki::cfg{AttachmentNameFilter}/;
# Multi-character alpha-based regexes
@@ -381,7 +381,7 @@ sub _readTemplateFile {
my $session = $this->{session};
# zap anything suspicious
- $name =~ s/$Foswiki::regex{filenameInvalidCharRegex}//g;
+ $name =~ s/$Foswiki::regex{webTopicInvalidCharRegex}//g;
# if the name ends in .tmpl, then this is an explicit include from
# the templates directory. No further searching required.
@@ -107,7 +107,7 @@ sub oops {
$tmplName ||= 'oops';
# Item5324: Filter to block XSS
- $tmplName =~ s/$Foswiki::regex{filenameInvalidCharRegex}//g;
+ $tmplName =~ s/$Foswiki::regex{webTopicInvalidCharRegex}//g;
# Do not pass on the template parameter otherwise continuation won't work
$query->delete('template');

0 comments on commit e49ed4b

Please sign in to comment.