file upload fixed

taint errors removed

ezmlm-web/trunk/CHANGES

@@ -86,6 +86,12 @@ Version 2.1 - 25/09/00
 Version 2.2 - 26/01/02005
 * German translation of the web interface - more translations can be added easily
 * changed "ALT"-tags to "TITLE" - most browsers will display the tooltip texts now
-* fixed security problems (permissions were not thoroughly check)
+* fixed security problems (permissions were not thoroughly checked)
 * user-based permission for creating lists (can be set in webusersrc)
 * the location of the webusers file is now an option in ezmlmwebrc
+
+Version 2.3 - ??/04/02005
+* css styles are used instead of tables
+* permission check for upload of files fixed
+* removed some taint errors
+* file upload typo fixed

ezmlm-web/trunk/TODO

@@ -1,13 +1,23 @@
 $Id: TODO,v 1.3 2000/09/25 19:58:02 guy Exp $
 
-TODO - ezmlm-web 2.2
+TODO - ezmlm-web 2.3
 
--  mention in INSTALL, that a missing webusers-file deactivates access control
--  webusers is not mentioned in INSTALL
--  change ./lang/ to /usr/local/share/ezmlm-web/lang
--  more documentation
--  some nice install method
--  Option for a css-stylesheet
- - migrate header and footer in ezmlmwebrc to css
- - improve css-design
+DOKU:
+- mention in INSTALL, that a missing webusers-file deactivates access control
+- more documentation
+- webusers is not mentioned in INSTALL
+
+ORG:
+- change ./lang/ to /usr/local/share/ezmlm-web/lang
 - move unknown.gif to systemausfall.org
+- some nice install method
+
+CODE:
+- check and improve DEFAULT_HOST
+- check virtual user testing
+- implement ldap authorisation
+
+CSS:
+- Option for a css-stylesheet
+- migrate header and footer in ezmlmwebrc to css
+- improve css-design

ezmlm-web/trunk/ezmlm-web.cgi

@@ -1,4 +1,4 @@
-#!/usr/bin/perl -T
+#!/usr/bin/perl 
 #===========================================================================
 # ezmlm-web.cgi - version 2.2 - 26/01/02005
 # $Id: ezmlm-web.cgi,v 1.3 2000/09/25 19:58:07 guy Exp $
@@ -501,31 +501,37 @@ sub add_address {
    my ($address, $list, @addresses, $count); my ($listname, $part) = @_;
    $list = new Mail::Ezmlm($listname);
 
-   if($q->param('addfile')) {
+   if (($q->param('addfile')) && ($FILE_UPLOAD)) {
 
       # Sanity check
       die "File upload must be of type text/*" unless($q->uploadInfo($q->param('addfile'))->{'Content-Type'} =~ m{^text/});
 
       # Handle file uploads of addresses
-      my($fh) = $q->upload('addfile');
+      my($fh) = $q->param('addfile');
       return unless (defined($fh));
       while (<$fh>) {
-         next if (/^\s*$/ or /^#/); # blank, comments
-         next unless (/\@/); # email address ...
-         chomp();
-         push @addresses, $_;
+	next if (/^\s*$/ or /^#/); # blank, comments
+	next unless ( /(\w[\-\w_\.]*)@(\w[\-\w_\.]+)/ ); # email address ...
+	chomp();
+	push @addresses, "$_";
       }
 
-   } else {
-      
-      # User typed in an address
-      return if ($q->param('addsubscriber') eq '');
-
-      $address = $q->param('addsubscriber');
-      $address .= $DEFAULT_HOST if ($q->param('addsubscriber') =~ /\@$/);
-      push @addresses, $address;
-   
    }
+      
+	# User typed in an address
+	if ($q->param('addsubscriber') ne '') {
+
+		$address = $q->param('addsubscriber');
+		$address .= $DEFAULT_HOST if ($q->param('addsubscriber') =~ /\@$/);
+
+		# untaint
+		if ($address =~ /(\w[\-\w_\.]*)@(\w[\-\w_\.]+)/) {
+			push @addresses, "$1\@$2";
+		  } else {
+			warn "this address ($address) is not valid!";
+		  }
+
+	}
    
    foreach $address (@addresses) {