diff options
| author | Ted Trask <ttrask01@yahoo.com> | 2013-11-17 15:47:47 +0000 |
|---|---|---|
| committer | Ted Trask <ttrask01@yahoo.com> | 2013-11-17 15:48:41 +0000 |
| commit | ed50fec117d503e3ef089ef588def0486ea2dc6f (patch) | |
| tree | 88d0e58adaa48377d39c03455b681f4007cf3ee6 /lib/authenticator-plaintext.lua | |
| parent | 6b156a9ae1ec10de060cb6dfff6e4b1f9ebd8689 (diff) | |
| download | acf-core-ed50fec117d503e3ef089ef588def0486ea2dc6f.tar.bz2 acf-core-ed50fec117d503e3ef089ef588def0486ea2dc6f.tar.xz | |
Cleanup authenticator subauths and limit authenticator-plaintext to traverse one directory level
Fix subauths to properly list fields/entries and delete from all subauths
Diffstat (limited to 'lib/authenticator-plaintext.lua')
| -rw-r--r-- | lib/authenticator-plaintext.lua | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/lib/authenticator-plaintext.lua b/lib/authenticator-plaintext.lua index 7a5dbea..07a8e62 100644 --- a/lib/authenticator-plaintext.lua +++ b/lib/authenticator-plaintext.lua @@ -20,8 +20,9 @@ mymodule.list_fields = function(self, tabl) local fields = {} for file in fs.find(".*"..format.escapemagiccharacters(tabl), self.conf.confdir) do - local field = string.match(file, "([^/]*)"..format.escapemagiccharacters(tabl).."$") or "" - if fs.is_file(file) and field ~= "" then + local field = string.match(file, self.conf.confdir.."(.*)"..format.escapemagiccharacters(tabl).."$") + -- We only allow one level of directory traversal + if field and fs.is_file(file) and not string.find(field, "/.*/") then fields[#fields + 1] = field end end @@ -29,7 +30,7 @@ mymodule.list_fields = function(self, tabl) end mymodule.read_field = function(self, tabl, field) - if not self or not tabl or tabl == "" or not field then + if not self or not tabl or tabl == "" or not field or string.find(field, "^..*/.*/") then return nil end @@ -55,7 +56,7 @@ mymodule.read_field = function(self, tabl, field) end mymodule.delete_field = function(self, tabl, field) - if not self or not tabl or tabl == "" or not field then + if not self or not tabl or tabl == "" or not field or string.find(field, "^..*/.*/") then return false end local passwd_path = self.conf.confdir .. field .. tabl @@ -64,7 +65,7 @@ mymodule.delete_field = function(self, tabl, field) end mymodule.write_entry = function(self, tabl, field, id, entry) - if not self or not tabl or tabl == "" or not field or not id or not entry then + if not self or not tabl or tabl == "" or not field or string.find(field, "^..*/.*/") or not id or not entry then return false end @@ -85,7 +86,7 @@ mymodule.write_entry = function(self, tabl, field, id, entry) end mymodule.read_entry = function(self, tabl, field, id) - if not self or not tabl or tabl == "" or not field or not id then + if not self or not tabl or tabl == "" or not field or string.find(field, "^..*/.*/") or not id then return nil end -- Set path to passwordfile @@ -101,7 +102,7 @@ mymodule.read_entry = function(self, tabl, field, id) end mymodule.delete_entry = function (self, tabl, field, id) - if not self or not tabl or tabl == "" or not field or not id then + if not self or not tabl or tabl == "" or not field or string.find(field, "^..*/.*/") or not id then return false end local result = false |