From b20af44b8176a2c2b21577d8b1ddc5fea2d63c5c Mon Sep 17 00:00:00 2001 From: pcanterino <> Date: Thu, 10 Nov 2005 17:40:44 +0000 Subject: [PATCH] - Fixed a security problem: It was possible to access files and directories above the virtual root directory beginning with the same string as the root directory. For example: If your root directory is "/var/www/user1" it was possible to access "/var/www/user10", "/var/www/user11" and so on. - Updated version number to 3.0.1 - Updated Change Log --- CHANGELOG | 11 +++++++++++ README | 4 ++-- devedit.pl | 4 ++-- modules/Tool.pm | 3 ++- 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 8e144d2..1a772f1 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,17 @@ Change Log for Dev-Editor ========================= +Version 3.0.1 (2005-11-10): +=========================== + + Accessing files above the virtual root directory: + ------------------------------------------------- + It was possible to access files and directories above the virtual root + directory beginning with the same string as the root directory. + For example: + If your root directory is "/var/www/user1" it was possible to access + "/var/www/user10", "/var/www/user11" and so on. + Version 3.0 (2005-10-18): ========================= diff --git a/README b/README index 6e44e2a..16cf24c 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ -ReadMe for Dev-Editor 3.0 -========================= +ReadMe for Dev-Editor 3.0.1 +=========================== Description ----------- diff --git a/devedit.pl b/devedit.pl index 909550b..39588cf 100644 --- a/devedit.pl +++ b/devedit.pl @@ -1,7 +1,7 @@ #!C:/Programme/Perl/bin/perl.exe -w # -# Dev-Editor 3.0 +# Dev-Editor 3.0.1 # # Dev-Editor's main program # @@ -22,7 +22,7 @@ use Command; use Output; use Tool; -$VERSION = '3.0'; +$VERSION = '3.0.1'; # Path to configuration file # Change if necessary! diff --git a/modules/Tool.pm b/modules/Tool.pm index 16d5d72..5ed1ba2 100644 --- a/modules/Tool.pm +++ b/modules/Tool.pm @@ -6,7 +6,7 @@ package Tool; # Some shared sub routines # # Author: Patrick Canterino -# Last modified: 2005-07-23 +# Last modified: 2005-11-10 # use strict; @@ -81,6 +81,7 @@ sub check_path($$) # Check if the path is above the root directory return if(index($path,$root) != 0); + return if(substr($path,length($root)) && not File::Spec->file_name_is_absolute(substr($path,length($root)))); # Create short path name -- 2.34.1