diff options
author | Ted Trask <ttrask01@yahoo.com> | 2008-10-07 17:31:24 +0000 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2008-10-07 17:31:24 +0000 |
commit | db568f08d77df7cad6197e6fa3600e878c92d529 (patch) | |
tree | 2e399bcbbd70c43370ad024eca9c3cca80394abf | |
parent | 8b2da2eda5e7ba891fc5cc2488f51b46e4023c2b (diff) | |
download | acf-opennhrp-db568f08d77df7cad6197e6fa3600e878c92d529.tar.bz2 acf-opennhrp-db568f08d77df7cad6197e6fa3600e878c92d529.tar.xz |
Modified modelfunctions library to include validation in get/setfiledetails. Modified all uses to validate the file name - this was a major security hole.
git-svn-id: svn://svn.alpinelinux.org/acf/opennhrp/trunk@1542 ab2d0c66-481e-0410-8bed-d214d4d58bed
-rw-r--r-- | opennhrp-model.lua | 16 |
1 files changed, 2 insertions, 14 deletions
diff --git a/opennhrp-model.lua b/opennhrp-model.lua index 42497c9..2601655 100644 --- a/opennhrp-model.lua +++ b/opennhrp-model.lua @@ -200,21 +200,9 @@ function setconfig(self, config) end function getconfigfile(self) - local filedetails = modelfunctions.getfiledetails(configfile) - local result, filedetails = validateconfigfile(self, filedetails) - return filedetails + return modelfunctions.getfiledetails(configfile, nil, function(filedetails) return validateconfigfile(self, filedetails)end) end function setconfigfile(self, filedetails) - filedetails.value.filename.value = configfile - filedetails.value.filecontent.value = string.gsub(format.dostounix(filedetails.value.filecontent.value), "\n+$", "") - local success, filedetails = validateconfigfile(self, filedetails) - if success then - fs.write_file(configfile, filedetails.value.filecontent.value) - filedetails = getconfigfile(self) - else - filedetails.errtxt = "Failed to set configuration file" - end - - return filedetails + return modelfunctions.setfiledetails(filedetails, {configfile}, function(filedetails) return validateconfigfile(self, filedetails)end) end |