diff options
author | Ted Trask <ttrask01@yahoo.com> | 2008-10-07 17:31:24 +0000 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2008-10-07 17:31:24 +0000 |
commit | a91953204def624a264defaca264f87fbc0a28a7 (patch) | |
tree | 0438fe6c6eecc45f461c8fbed5146ef26a29d4e7 | |
parent | 45372396aa0f819f5304faee69874b6448576c89 (diff) | |
download | acf-dansguardian-a91953204def624a264defaca264f87fbc0a28a7.tar.bz2 acf-dansguardian-a91953204def624a264defaca264f87fbc0a28a7.tar.xz |
Modified modelfunctions library to include validation in get/setfiledetails. Modified all uses to validate the file name - this was a major security hole.
git-svn-id: svn://svn.alpinelinux.org/acf/dansguardian/trunk@1542 ab2d0c66-481e-0410-8bed-d214d4d58bed
-rw-r--r-- | dansguardian-model.lua | 20 |
1 files changed, 2 insertions, 18 deletions
diff --git a/dansguardian-model.lua b/dansguardian-model.lua index 66bd6a7..d54a87a 100644 --- a/dansguardian-model.lua +++ b/dansguardian-model.lua @@ -136,27 +136,11 @@ update_general_config = function( config ) end get_file = function(filename) - local retval - if is_valid_filename(filename) then - retval = modelfunctions.getfiledetails(filename) - else - retval = modelfunctions.getfiledetails("") - retval.value.filename.value = filename - end - - return retval + return modelfunctions.getfiledetails(filename, is_valid_filename) end update_file = function(filedetails) - local retval - if is_valid_filename(filedetails.value.filename.value) then - retval = modelfunctions.setfiledetails(filedetails) - else - retval.value.filename.errtxt = "Invalid filename" - retval.errtxt = "Failed to save file" - end - - return retval + return modelfunctions.setfiledetails(filedetails, is_valid_filename) end list_files = function() |