Permalink
Browse files

Prevent use of commands in filename to show https://sourceforge.net/t…

1 parent ed73650 commit 1f1411fe7404ec3ac03e803cfa7e01515e71a213 @jcameron jcameron committed Jul 10, 2012
Showing with 4 additions and 1 deletion.
  1. +1 −0 file/lang/en
  2. +3 −1 file/show.cgi
View
@@ -168,6 +168,7 @@ view_ecmd=The command $1 needed to create an archive is not installed
view_ecomp=Failed to create archive : $1
view_earchive=You are not allowed to download archives
view_earchmax=The selected directory is larger than the maximum allowed for archiving ($1 bytes)
+view_epathinfo=Path contains invalid characters
paste_ecopy=You must cut or copy before pasting
paste_egone=Copied file $1 no longer exists
View
@@ -7,6 +7,8 @@ require './file-lib.pl';
&ReadParse();
use POSIX;
$p = $ENV{'PATH_INFO'};
+($p =~ /^\s*\|/ || $p =~ /\|\s*$/ || $p =~ /\0/) &&
+ &error_exit($text{'view_epathinfo'});
if ($in{'type'}) {
# Use the supplied content type
$type = $in{'type'};
@@ -116,7 +118,7 @@ if ($in{'format'}) {
close(FILE);
}
else {
- if (!open(FILE, $p)) {
+ if (!open(FILE, "<", $p)) {
# Unix permissions prevent access
&error_exit(&text('view_eopen', $p, $!));
}

0 comments on commit 1f1411f

Please sign in to comment.