diff options
author | Ted Trask <ttrask01@yahoo.com> | 2008-10-07 17:31:24 +0000 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2008-10-07 17:31:24 +0000 |
commit | c92a68f62a048c9ea2664404096b7400ba4b1e9c (patch) | |
tree | 4f9cb32e37cc40ee0fec6072ad912bff69aec20e | |
parent | 9815d806cc53c6f2bf0154f6fa3bc4fbccaaacd9 (diff) | |
download | acf-shorewall-c92a68f62a048c9ea2664404096b7400ba4b1e9c.tar.bz2 acf-shorewall-c92a68f62a048c9ea2664404096b7400ba4b1e9c.tar.xz |
Modified modelfunctions library to include validation in get/setfiledetails. Modified all uses to validate the file name - this was a major security hole.
git-svn-id: svn://svn.alpinelinux.org/acf/shorewall/trunk@1542 ab2d0c66-481e-0410-8bed-d214d4d58bed
-rw-r--r-- | shorewall-model.lua | 23 |
1 files changed, 8 insertions, 15 deletions
diff --git a/shorewall-model.lua b/shorewall-model.lua index 0130b78..f3c1e50 100644 --- a/shorewall-model.lua +++ b/shorewall-model.lua @@ -217,29 +217,22 @@ function getfilelist () return cfe({ type="list", value=listed_files, label="Shorewall File List" }) end -function getfiledetails(filename) - --Validate filename +local function is_valid_filename(filename) local available_files = getfilelist() for i,file in ipairs(available_files.value) do if file.filename == filename then - return modelfunctions.getfiledetails(filename) + return true end end - local retval = modelfunctions.getfiledetails("") - retval.value.filename.value = filename - return retval + return false +end + +function getfiledetails(filename) + return modelfunctions.getfiledetails(filename, is_valid_filename) end function updatefiledetails (filedetails) - local available_files = getfilelist() - for i,file in ipairs(available_files.value) do - if file.filename == filedetails.value.filename.value then - return modelfunctions.setfiledetails(filedetails) - end - end - filedetails.value.filename.errtxt = "Invalid Filename" - filedetails.errtxt = "Failed to save file" - return filedetails + return modelfunctions.setfiledetails(filedetails, is_valid_filename) end --[[ |