- Fixed a security problem:

[devedit.git] / modules / Tool.pm

diff --git a/modules/Tool.pm b/modules/Tool.pm
index e1407a1486e6351057a9d070826ee5d5fe627487..5ed1ba238bf170786ecd099d33f3d65e8b7d7aaf 100644 (file)
--- a/modules/Tool.pm
+++ b/modules/Tool.pm
@@ -6,7 +6,7 @@ package Tool;
 # Some shared sub routines
 #
 # Author:        Patrick Canterino <patrick@patshaping.de>
-# Last modified: 2005-05-07
+# Last modified: 2005-11-10
 #
 
 use strict;
@@ -32,6 +32,7 @@ use base qw(Exporter);
              encode_html
              equal_url
              file_name
+             is_forbidden_file
              mode_string
              multi_string
              upper_path);
@@ -67,8 +68,9 @@ sub check_path($$)
  $first    = abs_path($first);
 
  my $last  = file_name($path);
+ $last     = '' if($last eq '.');
 
- if(-d $first.'/'.$last && not -l $first.'/'.$last)
+ if($last eq '..' || ($^O eq 'MSWin32' && $last =~ m!^\.\.\.+$!))
  {
   $first = abs_path($first.'/'.$last);
   $last  = '';
@@ -79,6 +81,7 @@ sub check_path($$)
  # Check if the path is above the root directory
 
  return if(index($path,$root) != 0);
+ return if(substr($path,length($root)) && not File::Spec->file_name_is_absolute(substr($path,length($root))));
 
  # Create short path name
 
@@ -254,6 +257,29 @@ sub file_name($)
  return $path;
 }
 
+# is_forbidden_file()
+#
+# Check if a file is in the list of forbidden files
+#
+# Params: 1. Array Reference containing the list
+#         2. Filename to check
+#
+# Return: Status code (Boolean)
+
+sub is_forbidden_file($$)
+{
+ my ($list,$file) = @_;
+ $file =~ s!/+$!!g;
+
+ foreach my $entry(@$list)
+ {
+  return 1 if($file eq $entry);
+  return 1 if(index($file,$entry.'/') == 0);
+ }
+
+ return;
+}
+
 # mode_string()
 #
 # Convert a file mode number into a human readable string (rwxr-x-r-x)