From 1fbf10bec35aeb289a9cf3e1c65a826883bffdea Mon Sep 17 00:00:00 2001 From: pcanterino <> Date: Fri, 10 Jun 2005 12:38:36 +0000 Subject: [PATCH 1/1] - Dev-Editor is now able to forbid accessing a file using the configuration file - Added ReadMe file, Change Log and a copy of the Artistic License to the repository --- CHANGELOG | 494 +++++++++++++++++++++++++++++++++++++ LICENSE | 127 ++++++++++ README | 117 +++++++++ devedit.pl | 52 ++-- errors.conf | 1 + modules/Command.pm | 4 +- modules/Config/DevEdit.pm | 23 +- modules/Tool.pm | 26 +- templates/dirlist_dir.htm | 4 +- templates/dirlist_file.htm | 4 +- 10 files changed, 826 insertions(+), 26 deletions(-) create mode 100644 CHANGELOG create mode 100644 LICENSE create mode 100644 README diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 0000000..8b2be5e --- /dev/null +++ b/CHANGELOG @@ -0,0 +1,494 @@ +Change Log for Dev-Editor +========================= + +New in version 2.3.2 (2005-04-23) +--------------------------------- + + Copying a file out of a directory: + ---------------------------------- + Fixed a really strange bug occuring only on Windows systems. + Dev-Editor was not able to copy (or move) a file out of a directory if the + path, the user entered in the corresponding dialogue, was beginning with "../". + + Empty root directory causes incomplete HTML table: + -------------------------------------------------- + Dev-Editor now does not create an incomplete HTML table if the root directory + is completely empty or no files are matching against the current wildcard. + + move() instead of rename(): + --------------------------- + Dev-Editor now uses the move() function from the File::Copy module to move or + rename files and directories. move() is more reliable than the rename() + function. + + No error message if reading of a directory failed: + -------------------------------------------------- + If reading of a directory failed, no error message was shown. I thought this + bug was fixed... + + Template class updated: + ----------------------- + The template class was updated to version 1.4a. + +New in version 2.3.1 (2005-02-19) +--------------------------------- + + Handling of symbolic links changed: + ----------------------------------- + For security reasons, I completely changed the handling of symbolic links: + Symbolic links are now treated as files, no matter where they point to. The + user is just allowed to see the path where the link points to, he is allowed to + delete the link, to rename it and to overwrite it by renaming an other file. + Nothing else is allowed. + Accessing a symbolic link pointing to a directory caused also a very strange + effect: It was possible to access this directory, but you could not access + the objects in it. + I had to do it in this way because of the very stupid behaviour of abs_path() + from the Cwd module: This function is just able to detect the absolute path of + directories. + Hard links are not affected by this, because it is not possible to detect them + (at least I don't know how to detect them). + + Root directory must not be a symbolic link: + ------------------------------------------- + Now, the root directory must not be a symbolic link. + Sorry for this, I really would have liked to allow the root directory to be a + symbolic link, but if I would allow this, Dev-Editor would not be able to + create files in the root directory. I'm looking for an alternative... + + Use Greenwich Mean Time: + ------------------------ + You may now use Greenwich Mean Time (GMT/UTC) in dates instead of the local + time. + I don't know if anyone needs this, but it could be useful. + + Handle errors produced by File::UseList: + ---------------------------------------- + - Check if unlocking of the list of files in use was successful + - Check if a file could be successfully added to the list of files in use + - Check if a file could be successfully removed from the list of files in use + + Saving to non-existing files: + ----------------------------- + The file saving process was aborted if the user wanted to write text data using + the edit function into a file that does not exists. + The reason was that Dev-Editor thought that this non-existing file was a binary + file. + + Template class updated: + ----------------------- + The template class was updated to version 1.4. + This fixes the problem of the infinitive loops produced by incorrectly nested + {IF} blocks. + + Small changes: + -------------- + - Files locked with the flock() function are now unlocked by the close() + function due to security reasons (see + http://forum.de.selfhtml.org/?t=101375&m=622582) + - Changed the names of two error messages: + dircopy -> dir_copy + editdir -> dir_edit + - Fixed various small errors in some template files + - The regular expression used by file_name() and upper_path() to detect Windows + drive letters was not case-insensitive + +New in version 2.3 (2005-01-08) +------------------------------- + + Filter directory listing: + ------------------------- + Dev-Editor is now able to filter the directory listing using DOS-style + wildcards. + I think that is a little bit incomplete, Dev-Editor should be able to + "remember" the filter wildcard during the actions. + The code for parsing DOS-style wildcards is from the File::DosGlob module by + Gurusamy Sarathy. + + flock(): + -------- + Dev-Editor now uses flock(). + flock() is called using a wrapper function which checks if it is really + available. + + check_path() broken on Windows: + ------------------------------- + On Windows systems the check_path() routine was heavily broken (this routine + checks if someone tries to access a path above the virtual root directory). It + was possible to access files above the root directory by accessing a path with + "..." or "...." or something like that as the last path component. This bug was + caused by the rewrite of check_path() in Dev-Editor 2.2. + + "." or ".." as end of a path: + ----------------------------- + If you enter a path with "." or ".." as the last path component, Dev-Editor + showed a really strange behaviour by allowing to enter a path like + "something/." or "something/..". This was also caused by the (poor) rewrite of + check_path(). The problem is fixed now. + + Paths beginning with "/../" caused problems: + -------------------------------------------- + When composing the temporary virtual path for a new file, don't call + clean_path(). It is unnecessary and it also caused a problem if this path would + begin with /../, because on UNIX systems, canonpath() removes /../ at the + beginning of a path. So if a user wanted to create the file /../file.ext (but + he wasn't allowed to), he created /file.ext. + + Deny changing file properties in some cases: + -------------------------------------------- + - Do not allow to change the properties of the root directory + - Do not allow to change the properties of a file in use + + Deny overwriting files: + ----------------------- + - While processing a file upload, check if the user wants to replace a + directory or overwrite a write-protected file + - If the user wants to copy or rename a file, check if he wants to overwrite a + write-protected file + - Do not allow to upload a file if a file with the same virtual name is + currently in use + + Validate file uploads: + ---------------------- + Dev-Editor now tries to validate a file upload by checking the handle created + by the CGI module. + + Improved configuration file parser: + ----------------------------------- + - The parser now ignores lines like that: + = Value + Such lines could lead to properties with empty keys in the configuration + hash. + - Allow configuration options with empty values + - If a option is defined twice, the line number of the second one is shown in + the error message + + Output changes: + --------------- + - More encoding of HTML entities + - In directory listing, the "Edit" link of files in use were not greyed (very + nasty) + - Show the name of the lock file in error messages even if it has not been + defined in the configuration file + + Small internal changes: + ----------------------- + - The file saving process is now completely centralized in File::Access + - When generating a redirection header, check if we really have to create a + query string + - Fixed a bug occuring if the "curdir" CGI parameter had no trailing slash and + the "newfile" parameter had no leading slash + - Dev-Editor now takes more care of Windows drive letters + - Trying to increase speed of the script by surrounding static values by single + quotes + - Code cleaning + +New in version 2.2a (2004-11-29) +-------------------------------- + + File uploads did not work: + -------------------------- + Dev-Editor normally tests if it has enough permissions to upload a file to a + directory. But the condition was missing and so Dev-Editor always aborted file + uploads and didn't even display the dialogue. + +New in version 2.2 (2004-11-27) +------------------------------- + + `chgrp` system command and numerical group names: + ------------------------------------------------- + When changing the group, Dev-Editor is now using the `chgrp` system command. + This allows to use numerical group names. Before, Dev-Editor handled numerical + values as group IDs. + + Checking root directory: + ------------------------ + Dev-Editor now checks if the root directory exists and if it may be accessed. + This fixed also bug where it was possible to access the physical root directory + if Dev-Editor could not enter the virtual root directory. + + Checking directory permissions: + ------------------------------- + Dev-Editor does some simple checks of directory permissions now: + - Inaccessible directories are greyed in directory listing. You cannot access + them, but the actions are not disabled, because they may work. + - Actions needing write access to a directory are aborted if Dev-Editor has no + write access. + + Access a directory structure similar to the root directory: + ----------------------------------------------------------- + The path the user wants to access must now BEGIN with the root directory. The + old check made it possible to access a directory structure outside the root + directory similar to the root directory. + + Changing mode of a directory with mode 000: + ------------------------------------------- + It was not possible to change the mode of a directory with mode 000. + + Upload only to directories: + --------------------------- + Dev-Editor now checks if the user really uploads a file to a directory. + + Improved About dialogue: + ------------------------ + - Dev-Editor now only shows the main group ID of the process user. + - Dev-Editor also shows the current umask of the process. + - Special chars in most values are now encoded to entities. + + Added