diff options
| author | Ted Trask <ttrask01@yahoo.com> | 2008-10-07 17:31:24 +0000 |
|---|---|---|
| committer | Ted Trask <ttrask01@yahoo.com> | 2008-10-07 17:31:24 +0000 |
| commit | 37b64e7d282bb5856fc2a8a4fd3f16af31eb212f (patch) | |
| tree | 4f7df6329591ba784efe4018eb6f44f83806a8cc | |
| parent | 10aabcf615764a3ddfb3afdbda1e778fcc72b42b (diff) | |
| download | acf-alpine-conf-37b64e7d282bb5856fc2a8a4fd3f16af31eb212f.tar.bz2 acf-alpine-conf-37b64e7d282bb5856fc2a8a4fd3f16af31eb212f.tar.xz | |
Modified modelfunctions library to include validation in get/setfiledetails. Modified all uses to validate the file name - this was a major security hole.
git-svn-id: svn://svn.alpinelinux.org/acf/alpine-conf/trunk@1542 ab2d0c66-481e-0410-8bed-d214d4d58bed
| -rw-r--r-- | lbu-model.lua | 21 |
1 files changed, 7 insertions, 14 deletions
diff --git a/lbu-model.lua b/lbu-model.lua index 69eacfc..c190c34 100644 --- a/lbu-model.lua +++ b/lbu-model.lua @@ -153,8 +153,9 @@ local function validatefilelist(filelist) return filelist end -local function validatefilecontent (filecontent) - local config = getconfig(filecontent.value) +local function validatefilecontent (filedetails) + local success = true + local config = getconfig(filedetails.value.filecontent.value) local errors = {} for name,value in pairs(config.value) do if value.errtxt then @@ -162,10 +163,11 @@ local function validatefilecontent (filecontent) end end if #errors > 0 then - filecontent.errtxt = table.concat(errors, "\n") + success = false + filedetails.value.filecontent.errtxt = table.concat(errors, "\n") end - return filecontent + return success, filedetails end --[[ local was_mounted @@ -348,16 +350,7 @@ function get_filedetails() end function set_filedetails(filedetails) - local filecontent = filedetails.value.filecontent - filecontent.value = format.dostounix(filecontent.value) - filecontent.value = filecontent.value:gsub("\n+$", "") - validatefilecontent(filecontent) - if not filecontent.errtxt then - fs.write_file(configfile, filecontent.value) - else - filedetails.errtxt = "Failed to set config" - end - return filedetails + return modelfunctions.setfiledetails(filedetails, {configfile}, validatefilecontent) end function getcommit() |