Permalink
Browse files

Multiple security fixes, tightening up opens with explicit "< $filena…

…me".

Added hook for IPC structure dump in minivend.PL
  • Loading branch information...
1 parent 7d6940b commit 56f620af65de2a7e294751035de31089437f0812 @perusionmike perusionmike committed Jul 20, 2000
Showing with 60 additions and 37 deletions.
  1. +2 −2 scripts/compile_link.PL
  2. +1 −1 scripts/configdump.PL
  3. +3 −3 scripts/dump.PL
  4. +2 −2 scripts/expire.PL
  5. +2 −2 scripts/expireall.PL
  6. +3 −3 scripts/localize.PL
  7. +8 −8 scripts/makecat.PL
  8. +34 −11 scripts/minivend.PL
  9. +2 −2 scripts/restart.PL
  10. +3 −3 scripts/update.PL
View
4 scripts/compile_link.PL
@@ -25,7 +25,7 @@ DOIT: {
#
# Interchange link program configurator
#
-# $Id: compile_link.PL,v 1.2 2000-07-12 03:08:12 heins Exp $
+# $Id: compile_link.PL,v 1.3 2000-07-20 07:24:13 heins Exp $
#
# Copyright (C) 1996-2000 Akopia, Inc. <info@akopia.com>
#
@@ -206,7 +206,7 @@ foreach my $targ (@edit_files) {
my $src = "$targ.tmp";
rename $targ, $src
or die "Couldn't rename $targ to $src: $!\n";
- open (IN, $src)
+ open (IN, "< $src")
or die "Couldn't read $src: $!\n";
open (OUT, ">$targ")
or die "Couldn't write $targ: $!\n";
View
2 scripts/configdump.PL
@@ -92,7 +92,7 @@ my($name,$dir,$param,$subcat,$subconfig,$junk);
chdir $Global::VendRoot;
if ($catalog) {
- open(GLOBAL, $Global::ConfigFile) or
+ open(GLOBAL, "< $Global::ConfigFile") or
die "No global configuration file? Aborting.\n";
while(<GLOBAL>) {
next unless /^\s*(sub)?catalog\s+$catalog\s+/i;
View
6 scripts/dump.PL
@@ -25,7 +25,7 @@ DOIT: {
#
# Interchange session dumper
#
-# $Id: dump.PL,v 1.2 2000-07-12 03:08:12 heins Exp $
+# $Id: dump.PL,v 1.3 2000-07-20 07:24:13 heins Exp $
#
# Copyright (C) 1996-2000 Akopia, Inc. <info@akopia.com>
#
@@ -189,7 +189,7 @@ die "too many args, aborting.\n"
if(defined $catalog) {
my($name,$dir,$param,$subcat,$subconfig,$junk);
chdir $Global::VendRoot;
- open(GLOBAL, $Global::ConfigFile) or
+ open(GLOBAL, "< $Global::ConfigFile") or
die "No global configuration file? Aborting.\n";
while(<GLOBAL>) {
next unless /^\s*(sub)?catalog\s+$catalog\s+/i;
@@ -239,7 +239,7 @@ dump -- Interchange session dumper
=head1 VERSION
-$Id: dump.PL,v 1.2 2000-07-12 03:08:12 heins Exp $
+$Id: dump.PL,v 1.3 2000-07-20 07:24:13 heins Exp $
=head1 SEE ALSO
View
4 scripts/expire.PL
@@ -25,7 +25,7 @@ DOIT: {
#
# Interchange session expiration
#
-# $Id: expire.PL,v 1.2 2000-07-12 03:08:12 heins Exp $
+# $Id: expire.PL,v 1.3 2000-07-20 07:24:13 heins Exp $
#
# Copyright (C) 1996-2000 Akopia, Inc. <info@akopia.com>
#
@@ -192,7 +192,7 @@ my $g;
if(defined $catalog) {
my($name,$dir,$param);
chdir $Global::VendRoot;
- open(GLOBAL, $Global::ConfigFile) or
+ open(GLOBAL, "< $Global::ConfigFile") or
die "No global configuration file? Aborting.\n";
while(<GLOBAL>) {
next unless /^\s*((?:sub)?catalog)\s+($catalog\s+.*)/i;
View
4 scripts/expireall.PL
@@ -82,7 +82,7 @@ PARSECFG: {
my $file;
my @cfglines;
- open(MVCFG, $Configfile) or die "Couldn't read $Configfile: $!\n";
+ open(MVCFG, "< $Configfile") or die "Couldn't read $Configfile: $!\n";
while(<MVCFG>) { push(@cfglines, $_) if /^\s*catalog\s+/i }
close MVCFG;
@@ -106,7 +106,7 @@ expireall -- Run Interchange expire on all catalogs
=head1 VERSION
-$Id: expireall.PL,v 1.2 2000-07-12 03:08:12 heins Exp $
+$Id: expireall.PL,v 1.3 2000-07-20 07:24:13 heins Exp $
=head1 DESCRIPTION
View
6 scripts/localize.PL
@@ -24,7 +24,7 @@ DOIT: {
#
# Interchange localizer
#
-# $Id: localize.PL,v 1.2 2000-07-12 03:08:12 heins Exp $
+# $Id: localize.PL,v 1.3 2000-07-20 07:24:13 heins Exp $
#
# Copyright (C) 1996-2000 Akopia, Inc. <info@akopia.com>
#
@@ -140,7 +140,7 @@ Vend::Config::setcat($C);
if(! $opt_m) {
# do nothing
}
-elsif ( open(CONFIG, $opt_m) ) {
+elsif ( open(CONFIG, "< $opt_m") ) {
my $value;
while (<CONFIG>) {
chomp;
@@ -353,7 +353,7 @@ localize -- produce Interchange localization file from set of pages
=head1 VERSION
-$Id: localize.PL,v 1.2 2000-07-12 03:08:12 heins Exp $
+$Id: localize.PL,v 1.3 2000-07-20 07:24:13 heins Exp $
=head1 SYNOPSIS
View
16 scripts/makecat.PL
@@ -296,7 +296,7 @@ READCONFIG: {
my $cfgfile = "etc/$catalog_name.makecat.cfg";
last READCONFIG unless -f $cfgfile;
- open(READCONFIG, $cfgfile) or die "read $cfgfile: $!\n";
+ open(READCONFIG, "< $cfgfile") or die "read $cfgfile: $!\n";
while(<READCONFIG>) {
next unless /^\s*[A-Z]\w*\s+\S/;
@@ -1368,11 +1368,11 @@ else {
ADDITIONAL: {
last ADDITIONAL unless -f "$dir/config/additional_fields";
- open(ADDL, "$dir/config/additional_fields")
+ open(ADDL, "< $dir/config/additional_fields")
or last ADDITIONAL;
my %help;
local ($/) = "";
- if(open(ADDLHELP, "$dir/config/additional_help") ) {
+ if(open(ADDLHELP, "< $dir/config/additional_help") ) {
while(<ADDLHELP>) {
my($parm,$help) = split /\n/, $_, 2;
$help =~ s/\s*$/\n\n/;
@@ -1418,7 +1418,7 @@ ADDITIONAL: {
PRECMD: {
last PRECMD unless -f "$dir/config/precopy_commands";
- open(ADDL, "$dir/config/precopy_commands")
+ open(ADDL, "< $dir/config/precopy_commands")
or last PRECMD;
print "\nFound system commands to run.\n\n";
local ($/) = "";
@@ -1554,7 +1554,7 @@ sub wanted {
last EDIT unless (-f _);
last EDIT unless (-T _);
- open(IN, $file) or die "Couldn't open $name: $!\n";
+ open(IN, "< $file") or die "Couldn't open $name: $!\n";
open(OUT, ">$file.new") or die "Couldn't create $name.new: $!\n";
while(<IN>) {
( (print OUT $_), next) unless /__MV[CR]/;
@@ -1731,7 +1731,7 @@ EOF
POSTCMD: {
last POSTCMD unless -f "$dir/config/postcopy_commands";
- open(ADDL, "$dir/config/postcopy_commands")
+ open(ADDL, "< $dir/config/postcopy_commands")
or last POSTCMD;
print "\nFound additional system commands to run.\n\n";
local ($/) = "";
@@ -1796,7 +1796,7 @@ POSTCMD: {
else {
File::Copy::copy('minivend.cfg.dist', $tmpfile);
}
- open(CFG, $tmpfile)
+ open(CFG, "< $tmpfile")
or die "\nCouldn't open $tmpfile: $!\n";
while(<CFG>) {
$mark = $. if /^#?catalog\s+/i;
@@ -1946,7 +1946,7 @@ makecat [--options] name
=head1 VERSION
-$Id: makecat.PL,v 1.5 2000-07-12 03:08:12 heins Exp $
+$Id: makecat.PL,v 1.6 2000-07-20 07:24:13 heins Exp $
=head1 INTRODUCTION
View
45 scripts/minivend.PL
@@ -25,7 +25,7 @@ DOIT: {
#
# Interchange version 4.5.x
#
-# $Id: minivend.PL,v 1.11 2000-07-12 03:08:12 heins Exp $
+# $Id: minivend.PL,v 1.12 2000-07-20 07:24:13 heins Exp $
#
# Copyright (C) 1996-2000 Akopia, Inc. <info@akopia.com>
#
@@ -123,7 +123,7 @@ use vars qw($VERSION);
require Exporter;
BEGIN {
- $VERSION = '4.5.3';
+ $VERSION = '4.5.4';
}
@@ -960,7 +960,7 @@ sub config_named_catalog {
if ($c->{Static}) {
print "loading static page names..." unless $Vend::Quiet;
last READSTATIC if $c->{StaticDBM};
- open STATICPAGE, "$basedir/.static"
+ open STATICPAGE, "< $basedir/.static"
or warn <<EOF;
Couldn't read static page status file $basedir/.static: $!
EOF
@@ -1029,7 +1029,14 @@ EOF
return undef;
}
+ if ($c->{IPC}) {
+ my $dir = '.';
+ $dir = $c->{IPCdir} if $c->{IPCdir};
+ dump_structure($c, "$dir/$g->{name}");
+ chmod($c->{IPCmode} | 0644 , "$dir/$g->{name}")
+ }
dump_structure($c, $g->{name}) if $Global::DumpStructure;
+
undef $c->{Source};
my $stime = scalar localtime();
Vend::Util::writefile(">$Global::ConfDir/status.$g->{name}", "$stime\n");
@@ -1049,6 +1056,7 @@ sub is_retired {
sub retire_id {
my $id = shift;
+ return unless $id =~ /^\w+$/;
mkdir "$Vend::Cfg->{ScratchDir}/retired", 0777
unless -d "$Vend::Cfg->{ScratchDir}/retired";
my $fn = Vend::Util::get_filename($id, 2, 1, "$Vend::Cfg->{ScratchDir}/retired");
@@ -1297,13 +1305,13 @@ EOF
}
}
- chdir $Vend::Cfg->{'VendRoot'}
- or die "Couldn't change to $Vend::Cfg{'VendRoot'}: $!\n";
+ chdir $Vend::Cfg->{VendRoot}
+ or die "Couldn't change to $Vend::Cfg->{VendRoot}: $!\n";
set_file_permissions();
# STATICPAGE
tie_static_dbm() if $Vend::Cfg->{StaticDBM};
# END STATICPAGE
- umask $Vend::Cfg->{'Umask'};
+ umask $Vend::Cfg->{Umask};
open_database();
$CGI::user = Vend::Util::check_authorization($CGI::authorization)
@@ -1342,6 +1350,20 @@ EOF
$sessionid = generate_key($CGI::remote_addr . $CGI::useragent);
}
}
+ elsif ($sessionid !~ /^\w+$/) {
+ my $msg = get_locale_message(
+ 403,
+ "Unauthorized for that session %s. Logged.",
+ $sessionid,
+ );
+ $Vend::StatusLine = <<EOF;
+Status: 403 Unauthorized
+Content-Type: text/plain
+EOF
+ ::response($msg);
+ logGlobal($msg);
+ return;
+ }
# DEBUG
#::logDebug ("session='$sessionid' cookie='$CGI::cookie' chost='$CGI::cookiehost'");
@@ -1462,7 +1484,7 @@ EOF
$Vend::Session->{logged_in} && ! $Vend::Cfg->{StaticLogged};
$CGI::pragma = 'no-cache'
- if delete $Vend::Session->{scratch}{mv_no_cache};
+ if delete $::Scratch->{mv_no_cache};
$Vend::FinalPath = $Vend::Session->{last_url} = $CGI::path_info;
if( defined $Vend::Session->{one_time_path_alias}{$Vend::FinalPath} ) {
@@ -1498,18 +1520,18 @@ EOF
ROUTINES: {
last ROUTINES unless index($Vend::FinalPath, '/process/') == 0;
while ($Vend::FinalPath =~ s:/process/(locale|language|currency)/([^/]*)/:/process/:) {
- $Vend::Session->{scratch}->{"mv_$1"} = $2;
+ $::Scratch->{"mv_$1"} = $2;
}
$Vend::FinalPath =~ s:/process/page/:/:;
}
my $locale;
- if($locale = $Vend::Session->{scratch}->{mv_language}) {
+ if($locale = $::Scratch->{mv_language}) {
$Global::Variable->{LANG}
= $::Variable->{LANG} = $locale;
}
if ($Vend::Cfg->{Locale} and
- $locale = $Vend::Session->{scratch}->{mv_locale} and
+ $locale = $::Scratch->{mv_locale} and
defined $Vend::Cfg->{Locale_repository}->{$locale}
)
{
@@ -1519,7 +1541,8 @@ EOF
= $locale
if ! $::Scratch->{mv_language};
Vend::Util::setlocale( $locale,
- ($Vend::Session->{scratch}{mv_currency} || undef)
+ ($::Scratch->{mv_currency} || undef),
+ { persist => 1 }
);
}
# END LEGACY
View
4 scripts/restart.PL
@@ -25,7 +25,7 @@ DOIT: {
#
# Interchange restarter
#
-# $Id: restart.PL,v 1.2 2000-07-12 03:08:13 heins Exp $
+# $Id: restart.PL,v 1.3 2000-07-20 07:24:13 heins Exp $
#
# Copyright (C) 1996-2000 Akopia, Inc. <info@akopia.com>
#
@@ -87,7 +87,7 @@ sub get_id {
@files = ("$Global::VendRoot/.uid", "$Global::VendRoot/_uid");
my $uid;
for(@files) {
- open(UID, $_) or next;
+ open(UID, "< $_") or next;
$uid = <UID>;
chomp($uid);
last;
View
6 scripts/update.PL
@@ -25,7 +25,7 @@ DOIT: {
#
# update - Interchange database updater
#
-# $Id: update.PL,v 1.2 2000-07-12 03:08:13 heins Exp $
+# $Id: update.PL,v 1.3 2000-07-20 07:24:13 heins Exp $
#
# Copyright (C) 1996-2000 Akopia, Inc. <info@akopia.com>
#
@@ -198,7 +198,7 @@ elsif (!defined $Inputfile and ! @Fields and !@Values) {
my($name,$dir,$param,$subcat,$subconfig);
chdir $Global::VendRoot;
-open(GLOBAL, $Global::ConfigFile) or
+open(GLOBAL, "< $Global::ConfigFile") or
die "No global configuration file? Aborting.\n";
while(<GLOBAL>) {
next unless /^\s*(sub)?catalog\s+$Catalog\s+/i;
@@ -265,7 +265,7 @@ print "setting ${Name}::${field}::$Key=$val\n";
}
}
else {
- open INPUT, $Inputfile or die "Couldn't open input file $Inputfile: $!\n";
+ open (INPUT, "< $Inputfile") or die "Couldn't open input file $Inputfile: $!\n";
while(<INPUT>) {
chomp;
s/[\r\cZ]+//;

0 comments on commit 56f620a

Please sign in to comment.