From d157a97452ae0641f87996b6d0f21c9d222cef3d Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 11 Jan 2017 13:22:03 +0000 Subject: CGI, attachment, passwordauth: harden against repeated parameters These instances of code similar to OVE-20170111-0001 are not believed to be exploitable, because defined(), length(), setpassword(), userinfo_set() and the binary "." operator all have prototypes that force the relevant argument to be evaluated in scalar context. However, using a safer idiom makes mistakes less likely. (cherry picked from commit 69230a2220f673c66b5ab875bfc759b32a241c0d) --- IkiWiki/Plugin/attachment.pm | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'IkiWiki/Plugin/attachment.pm') diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm index 428b363b6..852769f60 100644 --- a/IkiWiki/Plugin/attachment.pm +++ b/IkiWiki/Plugin/attachment.pm @@ -158,8 +158,9 @@ sub formbuilder (@) { } $add.="\n"; } + my $content = $form->field('editcontent'); $form->field(name => 'editcontent', - value => $form->field('editcontent')."\n\n".$add, + value => $content."\n\n".$add, force => 1) if length $add; } @@ -222,12 +223,12 @@ sub attachment_store { $filename=IkiWiki::basename($filename); $filename=~s/.*\\+(.+)/$1/; # hello, windows $filename=IkiWiki::possibly_foolish_untaint(linkpage($filename)); - my $dest=attachment_holding_location($form->field('page')); + my $dest=attachment_holding_location(scalar $form->field('page')); # Check that the user is allowed to edit the attachment. my $final_filename= linkpage(IkiWiki::possibly_foolish_untaint( - attachment_location($form->field('page')))). + attachment_location(scalar $form->field('page')))). $filename; eval { if (IkiWiki::file_pruned($final_filename)) { @@ -281,12 +282,12 @@ sub attachments_save { # Move attachments out of holding directory. my @attachments; - my $dir=attachment_holding_location($form->field('page')); + my $dir=attachment_holding_location(scalar $form->field('page')); foreach my $filename (glob("$dir/*")) { $filename=Encode::decode_utf8($filename); next unless -f $filename; my $destdir=linkpage(IkiWiki::possibly_foolish_untaint( - attachment_location($form->field('page')))); + attachment_location(scalar $form->field('page')))); my $absdestdir=$config{srcdir}."/".$destdir; my $destfile=IkiWiki::basename($filename); my $dest=$absdestdir.$destfile; -- cgit v1.2.3