diff options
author | Ted Trask <ttrask01@yahoo.com> | 2008-10-07 17:31:24 +0000 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2008-10-07 17:31:24 +0000 |
commit | 39e5bdc0c438d109dcc4f744121e3eb742fd18ab (patch) | |
tree | d43aa57ae1b7a144c2536032ecdf26dbcce7b781 | |
parent | d30aea9b5d21a9486492417e20f1527564a0e973 (diff) | |
download | acf-tinydns-39e5bdc0c438d109dcc4f744121e3eb742fd18ab.tar.bz2 acf-tinydns-39e5bdc0c438d109dcc4f744121e3eb742fd18ab.tar.xz |
Modified modelfunctions library to include validation in get/setfiledetails. Modified all uses to validate the file name - this was a major security hole.
git-svn-id: svn://svn.alpinelinux.org/acf/tinydns/trunk@1542 ab2d0c66-481e-0410-8bed-d214d4d58bed
-rw-r--r-- | tinydns-model.lua | 20 |
1 files changed, 2 insertions, 18 deletions
diff --git a/tinydns-model.lua b/tinydns-model.lua index 61840d9..95e5f4f 100644 --- a/tinydns-model.lua +++ b/tinydns-model.lua @@ -259,28 +259,12 @@ end function get_filedetails(self, path, userid) configfiles = searchforconfigfiles(self, userid) - if not validfilename(path) then - local result = modelfunctions.getfiledetails("") - result.value.filename.value = path - return result - else - return modelfunctions.getfiledetails(path) - end + return modelfunctions.getfiledetails(path, validfilename) end function set_filedetails (self, filedetails, userid) configfiles = searchforconfigfiles(self, userid) - filedetails.value.filecontent.value = string.gsub(format.dostounix(filedetails.value.filecontent.value), "\n+$", "") - local success, errtxt = validfilename(filedetails.value.filename.value) - if success then - fs.write_file(filedetails.value.filename.value, filedetails.value.filecontent.value) - filedetails = get_filedetails(self, filedetails.value.filename.value, userid) - else - filedetails.value.filename.errtxt = errtxt - filedetails.errtxt = "Failed to set config file" - end - - return filedetails + return modelfunctions.setfiledetails(filedetails, validfilename) end function getnewconfigfile() |