From f33e26c5aa19345033ba62b3a434c2a48b95d277 Mon Sep 17 00:00:00 2001 From: lars Date: Wed, 23 Mar 2005 00:47:13 +0000 Subject: [PATCH] file upload fixed taint errors removed --- ezmlm-web/trunk/CHANGES | 8 +++++++- ezmlm-web/trunk/TODO | 28 +++++++++++++++++--------- ezmlm-web/trunk/ezmlm-web.cgi | 38 ++++++++++++++++++++--------------- 3 files changed, 48 insertions(+), 26 deletions(-) diff --git a/ezmlm-web/trunk/CHANGES b/ezmlm-web/trunk/CHANGES index 5de2a93..497bbc1 100644 --- a/ezmlm-web/trunk/CHANGES +++ b/ezmlm-web/trunk/CHANGES @@ -86,6 +86,12 @@ Version 2.1 - 25/09/00 Version 2.2 - 26/01/02005 * German translation of the web interface - more translations can be added easily * changed "ALT"-tags to "TITLE" - most browsers will display the tooltip texts now -* fixed security problems (permissions were not thoroughly check) +* fixed security problems (permissions were not thoroughly checked) * user-based permission for creating lists (can be set in webusersrc) * the location of the webusers file is now an option in ezmlmwebrc + +Version 2.3 - ??/04/02005 +* css styles are used instead of tables +* permission check for upload of files fixed +* removed some taint errors +* file upload typo fixed diff --git a/ezmlm-web/trunk/TODO b/ezmlm-web/trunk/TODO index 4332f11..3a5682d 100644 --- a/ezmlm-web/trunk/TODO +++ b/ezmlm-web/trunk/TODO @@ -1,13 +1,23 @@ $Id: TODO,v 1.3 2000/09/25 19:58:02 guy Exp $ -TODO - ezmlm-web 2.2 +TODO - ezmlm-web 2.3 -- mention in INSTALL, that a missing webusers-file deactivates access control -- webusers is not mentioned in INSTALL -- change ./lang/ to /usr/local/share/ezmlm-web/lang -- more documentation -- some nice install method -- Option for a css-stylesheet - - migrate header and footer in ezmlmwebrc to css - - improve css-design +DOKU: +- mention in INSTALL, that a missing webusers-file deactivates access control +- more documentation +- webusers is not mentioned in INSTALL + +ORG: +- change ./lang/ to /usr/local/share/ezmlm-web/lang - move unknown.gif to systemausfall.org +- some nice install method + +CODE: +- check and improve DEFAULT_HOST +- check virtual user testing +- implement ldap authorisation + +CSS: +- Option for a css-stylesheet +- migrate header and footer in ezmlmwebrc to css +- improve css-design diff --git a/ezmlm-web/trunk/ezmlm-web.cgi b/ezmlm-web/trunk/ezmlm-web.cgi index cd9b18f..f6f7cb3 100755 --- a/ezmlm-web/trunk/ezmlm-web.cgi +++ b/ezmlm-web/trunk/ezmlm-web.cgi @@ -1,4 +1,4 @@ -#!/usr/bin/perl -T +#!/usr/bin/perl #=========================================================================== # ezmlm-web.cgi - version 2.2 - 26/01/02005 # $Id: ezmlm-web.cgi,v 1.3 2000/09/25 19:58:07 guy Exp $ @@ -501,31 +501,37 @@ sub add_address { my ($address, $list, @addresses, $count); my ($listname, $part) = @_; $list = new Mail::Ezmlm($listname); - if($q->param('addfile')) { + if (($q->param('addfile')) && ($FILE_UPLOAD)) { # Sanity check die "File upload must be of type text/*" unless($q->uploadInfo($q->param('addfile'))->{'Content-Type'} =~ m{^text/}); # Handle file uploads of addresses - my($fh) = $q->upload('addfile'); + my($fh) = $q->param('addfile'); return unless (defined($fh)); while (<$fh>) { - next if (/^\s*$/ or /^#/); # blank, comments - next unless (/\@/); # email address ... - chomp(); - push @addresses, $_; + next if (/^\s*$/ or /^#/); # blank, comments + next unless ( /(\w[\-\w_\.]*)@(\w[\-\w_\.]+)/ ); # email address ... + chomp(); + push @addresses, "$_"; } - } else { - - # User typed in an address - return if ($q->param('addsubscriber') eq ''); - - $address = $q->param('addsubscriber'); - $address .= $DEFAULT_HOST if ($q->param('addsubscriber') =~ /\@$/); - push @addresses, $address; - } + + # User typed in an address + if ($q->param('addsubscriber') ne '') { + + $address = $q->param('addsubscriber'); + $address .= $DEFAULT_HOST if ($q->param('addsubscriber') =~ /\@$/); + + # untaint + if ($address =~ /(\w[\-\w_\.]*)@(\w[\-\w_\.]+)/) { + push @addresses, "$1\@$2"; + } else { + warn "this address ($address) is not valid!"; + } + + } foreach $address (@addresses) {