diff options
author | Ted Trask <ttrask01@yahoo.com> | 2008-10-07 17:31:24 +0000 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2008-10-07 17:31:24 +0000 |
commit | 22a35c7448599aaa4e6c43d69c3e1c511e1534e3 (patch) | |
tree | cc27f87cb7408a0bdaa7728503dbb29fe80e5815 | |
parent | 131d8583638dd5b44d37c292d99740bde3dcf2b6 (diff) | |
download | acf-tcpproxy-22a35c7448599aaa4e6c43d69c3e1c511e1534e3.tar.bz2 acf-tcpproxy-22a35c7448599aaa4e6c43d69c3e1c511e1534e3.tar.xz |
Modified modelfunctions library to include validation in get/setfiledetails. Modified all uses to validate the file name - this was a major security hole.
git-svn-id: svn://svn.alpinelinux.org/acf/tcpproxy/trunk@1542 ab2d0c66-481e-0410-8bed-d214d4d58bed
-rw-r--r-- | tcpproxy-model.lua | 17 |
1 files changed, 3 insertions, 14 deletions
diff --git a/tcpproxy-model.lua b/tcpproxy-model.lua index e0e820b..508301f 100644 --- a/tcpproxy-model.lua +++ b/tcpproxy-model.lua @@ -201,8 +201,7 @@ function getconfigfile() end function setconfigfile(filedetails) - filedetails.value.filename.value = configfile - return modelfunctions.setfiledetails(filedetails) + return modelfunctions.setfiledetails(filedetails, {configfile}) end function getsmtpstatus() @@ -374,21 +373,11 @@ function createsmtpfile(filedetails) end function readsmtpfile(filename) - if validator.is_valid_filename(filename, smtpdirectory) and fs.is_file(filename) then - return modelfunctions.getfiledetails(filename) - end - local retval = modelfunctions.getfiledetails("") - retval.value.filename.value = filename - return retval + return modelfunctions.getfiledetails(filename, function(filename) return validator.is_valid_filename(filename, smtpdirectory) end) end function updatesmtpfile(filedetails) - if validator.is_valid_filename(filedetails.value.filename.value, smtpdirectory) and fs.is_file(filedetails.value.filename.value) then - return modelfunctions.setfiledetails(filedetails) - end - filedetails.value.filename.errtxt = "Invalid Filename" - filedetails.errtxt = "Failed to set file" - return filedetails + return modelfunctions.setfiledetails(filedetails, function(filename) return validator.is_valid_filename(filename, smtpdirectory) end) end function delsmtpfile(filename) |