diff options
author | Mika Havela <mika.havela@gmail.com> | 2007-12-20 15:52:08 +0000 |
---|---|---|
committer | Mika Havela <mika.havela@gmail.com> | 2007-12-20 15:52:08 +0000 |
commit | 4062108ee8796ab9f64f05d55cd48352399cd34c (patch) | |
tree | 5a889a0c07bfba7948e2d412fba8041cbc761ce2 /skins-model.lua | |
parent | 484fc64f0327fe1a1bbccd248e74406cd455882d (diff) | |
download | acf-alpine-baselayout-4062108ee8796ab9f64f05d55cd48352399cd34c.tar.bz2 acf-alpine-baselayout-4062108ee8796ab9f64f05d55cd48352399cd34c.tar.xz |
Added security against code-injection
git-svn-id: svn://svn.alpinelinux.org/acf/alpine-baselayout/trunk@443 ab2d0c66-481e-0410-8bed-d214d4d58bed
Diffstat (limited to 'skins-model.lua')
-rw-r--r-- | skins-model.lua | 31 |
1 files changed, 9 insertions, 22 deletions
diff --git a/skins-model.lua b/skins-model.lua index dc9d5fb..41000b1 100644 --- a/skins-model.lua +++ b/skins-model.lua @@ -4,24 +4,10 @@ module (..., package.seeall) -- no initializer in model - use controller.init for that local function set_skins(skin) ---local addremove_opts = function ( addremove, file, variable, option ) --- if (string.lower(addremove) == "remove" ) then - cmdtxt = "/bin/sed -i 's/skin=.*/skin=" .. skin .. "/' /etc/acf/acf.conf" --- /bin/sed 's/skin=.*/skin=plupp/' /etc/acf/acf.conf - local cmd, error = io.popen ( cmdtxt ) - local cmdoutput = cmd:read("*a") - cmd:close() - -- Cleanup the variable by removing unneccesary blanks --- cmdtxt = "/bin/sed -i 's/\\\"\\ /\\\"/g' " .. file --- cmdtxt = cmdtxt .. ";/bin/sed -i 's/\\ \\\"/\\\"/g' " .. file --- local cmd, error = io.popen ( cmdtxt ) --- cmd:close() --- elseif (string.lower(addremove) == "add" ) then --- cmdtxt = "/bin/sed -i 's/\\(" .. variable .. ".*\\)\\\"/\\1" .. option .. " \\\"/' " .. file --- local cmd, error = io.popen ( cmdtxt ) --- local cmdoutput = cmd:read("*a") --- cmd:close() --- end + cmdtxt = "/bin/sed -i 's/skin=.*/skin=" .. skin .. "/' /etc/acf/acf.conf" + local cmd, error = io.popen ( cmdtxt ) + local cmdoutput = cmd:read("*a") + cmd:close() return cmdtxt end @@ -51,12 +37,13 @@ get = function (self) end update = function (self,skin) + -- Make sure no one can inject code into the model. local availableskins = list_skins() --- for k,v in pars(availableskins.skinarray.name) do --- if ( availableskins[k].name == skin) then + for i = 1 , table.maxn(availableskins) do + if ( availableskins[i].name == skin) and (skin ~= nil) then return set_skins(skin) --- end --- end + end + end end |