diff --git a/ezmlm-web-ng/ezmlm-web-2.1-ng/TODO.ng b/ezmlm-web-ng/ezmlm-web-2.1-ng/TODO.ng new file mode 100644 index 0000000..3a39d6a --- /dev/null +++ b/ezmlm-web-ng/ezmlm-web-2.1-ng/TODO.ng @@ -0,0 +1 @@ +check permission before actions like "change", "create" or "delete" - the command could be arbitrarily injected into GET diff --git a/ezmlm-web-ng/ezmlm-web-2.1-ng/ezmlm-web.cgi b/ezmlm-web-ng/ezmlm-web-2.1-ng/ezmlm-web.cgi index 5109595..f88a8aa 100755 --- a/ezmlm-web-ng/ezmlm-web-2.1-ng/ezmlm-web.cgi +++ b/ezmlm-web-ng/ezmlm-web-2.1-ng/ezmlm-web.cgi @@ -53,8 +53,8 @@ use CGI::Carp qw(fatalsToBrowser set_message); my $q = new CGI; $q->import_names('Q'); -use vars qw[$opt_c $opt_d $opt_C]; -getopts('cd:C:'); +use vars qw[$opt_d $opt_C]; +getopts('d:C:'); # Suid stuff requires a secure path. $ENV{'PATH'} = '/bin'; @@ -105,7 +105,7 @@ if(defined($Q::action) && $Q::action eq '[Web Archive]') { } # Print header on every page ... -print $q->header(-pragma=>'no-cache', '-cache-control'=>'no-cache', -expires=>'-1d' '-Content-Type'=>'text/html; charset=utf-8'); +print $q->header(-pragma=>'no-cache', '-cache-control'=>'no-cache', -expires=>'-1d', '-Content-Type'=>'text/html; charset=utf-8'); print $q->start_html(-title=>$HTML_TITLE, -author=>'guy-ezmlm@rucus.ru.ac.za', -BGCOLOR=>$HTML_BGCOLOR, -LINK=>$HTML_LINK, -VLINK=>$HTML_VLINK, -TEXT=>$HTML_TEXT, -expires=>'-1d'); print $HTML_HEADER; @@ -285,7 +285,7 @@ sub select_list { print '
' if defined(@subscribers);
- print $q->textfield(-name=>'addsubscriber', -size=>'40'), '
';
- print $q->filefield(-name=>'addfile', -size=>20, -maxlength=>100), '
' if ($FILE_UPLOAD);
+ print $q->textfield(-name=>'addsubscriber', -size=>'40'), '
';
+ print $q->filefield(-name=>'addfile', -size=>20, -maxlength=>100), '
' if ($FILE_UPLOAD);
print $q->submit(-name=>'action', -value=>"[$BUTTON{'addaddress'}]"), '
';
print '', $LANGUAGE{'additionalparts'}, ':
' if($list->ismodpost || $list->ismodsub || $list->isremote || $list->isdeny || $list->isallow || $list->isdigest);
- print $q->submit(-name=>'action', -value=>"[$BUTTON{'moderators'}]"), ' ' if ($list->ismodpost || $list->ismodsub || $list->isremote);
- print $q->submit(-name=>'action', -value=>"[$BUTTON{'denylist'}]"), ' ' if ($list->isdeny);
- print $q->submit(-name=>'action', -value=>"[$BUTTON{'allowlist'}]"), ' ' if ($list->isallow);
- print $q->submit(-name=>'action', -value=>"[$BUTTON{'digestsubscribers'}]"), ' ' if ($list->isdigest);
+ print $q->submit(-name=>'action', -value=>"[$BUTTON{'moderators'}]"), ' ' if ($list->ismodpost || $list->ismodsub || $list->isremote);
+ print $q->submit(-name=>'action', -value=>"[$BUTTON{'denylist'}]"), ' ' if ($list->isdeny);
+ print $q->submit(-name=>'action', -value=>"[$BUTTON{'allowlist'}]"), ' ' if ($list->isallow);
+ print $q->submit(-name=>'action', -value=>"[$BUTTON{'digestsubscribers'}]"), ' ' if ($list->isdigest);
print '
'; - print $q->submit(-name=>'action', -value=>"[$BUTTON{'webarchive'}]"), ' ' if(&ezmlmcgirc); - print $q->submit(-name=>'action', -value=>"[$BUTTON{'configuration'}]"), ' '; + print $q->submit(-name=>'action', -value=>"[$BUTTON{'webarchive'}]"), ' ' if(&ezmlmcgirc); + print $q->submit(-name=>'action', -value=>"[$BUTTON{'configuration'}]"), ' '; print $q->submit(-name=>'action', -value=>"[$BUTTON{'selectlist'}]"); print '
' if defined(@subscribers);
- print $q->textfield(-name=>'addsubscriber', -size=>'40'), '
';
- print $q->filefield(-name=>'addfile', -size=>20, -maxlength=>100), '
' if ($FILE_UPLOAD);
+ print $q->textfield(-name=>'addsubscriber', -size=>'40'), '
';
+ print $q->filefield(-name=>'addfile', -size=>20, -maxlength=>100), '
' if ($FILE_UPLOAD);
print $q->submit(-name=>'action', -value=>"[$BUTTON{'addaddress'}]"), '
'; print $q->submit(-name=>'action', -value=>"[$BUTTON{'subscribers'}]"); print '
'; + print '', $LANGUAGE{'listname'}, ': ', $q->textfield(-name=>'list', -size=>'20'), '
'; print '', $LANGUAGE{'listaddress'}, ': '; print $q->textfield(-name=>'inlocal', -default=>$username, -size=>'10'); - print ' @ ', $q->textfield(-name=>'inhost', -default=>$hostname, -size=>'30'), '
'; + print ' @ ', $q->textfield(-name=>'inhost', -default=>$hostname, -size=>'30'), '
'; print '
', $LANGUAGE{'listoptions'}, ':'; &display_options($DEFAULT_OPTIONS); @@ -612,12 +612,12 @@ sub allow_create_list { # Allow creation of mysql table if the module allows it if($Mail::Ezmlm::MYSQL_BASE) { print '
', $q->checkbox(-name=>'sql', -label=>$LANGUAGE{'mysqlcreate'}, -on=>1); - print ' '; + print ' '; } print '
', $LANGUAGE{'allowedtoedit'}, ': ',
- $q->textfield(-name=>'webusers', -value=>$ENV{'REMOTE_USER'}||'ALL', -size=>'30'), ' ',
+ $q->textfield(-name=>'webusers', -value=>$ENV{'REMOTE_USER'}||'ALL', -size=>'30'), ' ',
'
', $HELPER{'allowedit'}, ''
if(-e "$LIST_DIR/webusers");
@@ -727,10 +727,10 @@ sub list_config {
$mimeremove = $list->getpart('mimeremove');
$prefix = $list->getpart('prefix');
- print '
', $LANGUAGE{'prefix'}, ': ', $q->textfield(-name=>'prefix', -default=>$prefix, -size=>12), ' ' if defined($prefix); - print '
', $LANGUAGE{'headerremove'}, ':
', $q->textarea(-name=>'headerremove', -default=>$headerremove, -rows=>5, -columns=>70);
- print '
', $LANGUAGE{'headeradd'}, ':
', $q->textarea(-name=>'headeradd', -default=>$headeradd, -rows=>5, -columns=>70);
- print '
', $LANGUAGE{'mimeremove'}, ':
', $q->textarea(-name=>'mimeremove', -default=>$mimeremove, -rows=>5, -columns=>70) if defined($mimeremove);
+ print '
', $LANGUAGE{'prefix'}, ': ', $q->textfield(-name=>'prefix', -default=>$prefix, -size=>12), ' ' if defined($prefix); + print '
', $LANGUAGE{'headerremove'}, ':
', $q->textarea(-name=>'headerremove', -default=>$headerremove, -rows=>5, -columns=>70);
+ print '
', $LANGUAGE{'headeradd'}, ':
', $q->textarea(-name=>'headeradd', -default=>$headeradd, -rows=>5, -columns=>70);
+ print '
', $LANGUAGE{'mimeremove'}, ':
', $q->textarea(-name=>'mimeremove', -default=>$mimeremove, -rows=>5, -columns=>70) if defined($mimeremove);
if(open(WEBUSER, "<$LIST_DIR/webusers")) {
my($webusers);
@@ -741,7 +741,7 @@ sub list_config {
$webusers ||= $ENV{'REMOTE_USER'} || 'ALL';
print '
', $LANGUAGE{'allowedtoedit'}, ': ',
- $q->textfield(-name=>'webusers', -value=>$webusers, -size=>'30'), ' ',
+ $q->textfield(-name=>'webusers', -value=>$webusers, -size=>'30'), ' ',
'
', $HELPER{'allowedit'}, '';
}
@@ -908,6 +908,25 @@ sub webauth {
return 1;
}
+
+# ---------------------------------------------------------------------------
+
+sub webauth_create_allowed {
+
+ # Read create-permission from webusers file.
+ # the special listname "ALLOW_CREATE" controls, who is allowed to do it
+ open (USERS, "<$LIST_DIR/webusers") || die "Unable to read webusers file: $!";
+ while(';
@@ -939,7 +958,7 @@ sub display_options {
} else {
print $q->checkbox(-name=>$i, -value=>$i, -label=>$EZMLM_LABELS{$i}[0]);
}
- print '';
+ print '';
print ' ';
diff --git a/ezmlm-web-ng/ezmlm-web-2.1-ng/lang/de.pm b/ezmlm-web-ng/ezmlm-web-2.1-ng/lang/de.pm
index 0e657bf..881abb1 100644
--- a/ezmlm-web-ng/ezmlm-web-2.1-ng/lang/de.pm
+++ b/ezmlm-web-ng/ezmlm-web-2.1-ng/lang/de.pm
@@ -97,16 +97,16 @@
%HELPER = (
# These should be self explainitory
- addaddress => 'Hier ist eine Mail-Adresse erforderlich. Auch Eingaben in der Form "Max Meier ';
print $q->textfield(-name=>"$i-value", -value=>$1||$EZMLM_LABELS{$i}[2], -size=>30);
print '