* Fix security hole which can expose arbitrary variable contents.

interchange · Mar 28, 2004 · 7529ac7 · 7529ac7
1 parent 17758b1
commit 7529ac7
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/lib/Vend/Page.pm b/lib/Vend/Page.pm
@@ -1,6 +1,6 @@
 # Vend::Page - Handle Interchange page routing
 # 
-# $Id: Page.pm,v 2.16 2003-12-27 01:08:33 jon Exp $
+# $Id: Page.pm,v 2.17 2004-03-28 20:29:39 mheins Exp $
 #
 # Copyright (C) 2002-2003 Interchange Development Group
 # Copyright (C) 1996-2002 Red Hat, Inc.
@@ -46,7 +46,7 @@ use strict;
 
 use vars qw/$VERSION/;
 
-$VERSION = substr(q$Revision: 2.16 $, 10);
+$VERSION = substr(q$Revision: 2.17 $, 10);
 
 my $wantref = 1;
 
@@ -56,13 +56,14 @@ sub display_special_page {
 
 	undef $Vend::write_redirect;
 
-	$name =~ m/[\[<]/
+	$name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
 		and do {
 			::logGlobal(
 					"Security violation -- scripting character in page name '%s'.",
 					$name,
 				);
-			$name = 'violation';
+			$name = find_special_page('violation');
+			1 while $subject =~ s/[\@_]_/_/g;
 		};
 
 	$subject ||= 'unspecified error';
@@ -90,13 +91,13 @@ sub display_page {
 
 	$name ||= $CGI::values{mv_nextpage};
 
-	$name =~ m/[\[<]/
+	$name =~ m/[\[<]|[\@_]_[A-Z]\w+_[\@_]|\@\@[A-Z]\w+\@\@/
 		and do {
 			::logGlobal(
 					"Security violation -- scripting character in page name '%s'.",
 					$name,
 				);
-			$name = 'violation';
+			$name = find_special_page('violation');
 			return display_special_page($name);
 		};