file upload fixed

taint errors removed
This commit is contained in:
lars 2005-03-23 00:47:13 +00:00
parent 48f82d7cd6
commit f33e26c5aa
3 changed files with 48 additions and 26 deletions

View file

@ -86,6 +86,12 @@ Version 2.1 - 25/09/00
Version 2.2 - 26/01/02005
* German translation of the web interface - more translations can be added easily
* changed "ALT"-tags to "TITLE" - most browsers will display the tooltip texts now
* fixed security problems (permissions were not thoroughly check)
* fixed security problems (permissions were not thoroughly checked)
* user-based permission for creating lists (can be set in webusersrc)
* the location of the webusers file is now an option in ezmlmwebrc
Version 2.3 - ??/04/02005
* css styles are used instead of tables
* permission check for upload of files fixed
* removed some taint errors
* file upload typo fixed

View file

@ -1,13 +1,23 @@
$Id: TODO,v 1.3 2000/09/25 19:58:02 guy Exp $
TODO - ezmlm-web 2.2
TODO - ezmlm-web 2.3
- mention in INSTALL, that a missing webusers-file deactivates access control
- webusers is not mentioned in INSTALL
- change ./lang/ to /usr/local/share/ezmlm-web/lang
- more documentation
- some nice install method
- Option for a css-stylesheet
- migrate header and footer in ezmlmwebrc to css
- improve css-design
DOKU:
- mention in INSTALL, that a missing webusers-file deactivates access control
- more documentation
- webusers is not mentioned in INSTALL
ORG:
- change ./lang/ to /usr/local/share/ezmlm-web/lang
- move unknown.gif to systemausfall.org
- some nice install method
CODE:
- check and improve DEFAULT_HOST
- check virtual user testing
- implement ldap authorisation
CSS:
- Option for a css-stylesheet
- migrate header and footer in ezmlmwebrc to css
- improve css-design

View file

@ -1,4 +1,4 @@
#!/usr/bin/perl -T
#!/usr/bin/perl
#===========================================================================
# ezmlm-web.cgi - version 2.2 - 26/01/02005
# $Id: ezmlm-web.cgi,v 1.3 2000/09/25 19:58:07 guy Exp $
@ -501,31 +501,37 @@ sub add_address {
my ($address, $list, @addresses, $count); my ($listname, $part) = @_;
$list = new Mail::Ezmlm($listname);
if($q->param('addfile')) {
if (($q->param('addfile')) && ($FILE_UPLOAD)) {
# Sanity check
die "File upload must be of type text/*" unless($q->uploadInfo($q->param('addfile'))->{'Content-Type'} =~ m{^text/});
# Handle file uploads of addresses
my($fh) = $q->upload('addfile');
my($fh) = $q->param('addfile');
return unless (defined($fh));
while (<$fh>) {
next if (/^\s*$/ or /^#/); # blank, comments
next unless (/\@/); # email address ...
chomp();
push @addresses, $_;
next if (/^\s*$/ or /^#/); # blank, comments
next unless ( /(\w[\-\w_\.]*)@(\w[\-\w_\.]+)/ ); # email address ...
chomp();
push @addresses, "$_";
}
} else {
# User typed in an address
return if ($q->param('addsubscriber') eq '');
$address = $q->param('addsubscriber');
$address .= $DEFAULT_HOST if ($q->param('addsubscriber') =~ /\@$/);
push @addresses, $address;
}
# User typed in an address
if ($q->param('addsubscriber') ne '') {
$address = $q->param('addsubscriber');
$address .= $DEFAULT_HOST if ($q->param('addsubscriber') =~ /\@$/);
# untaint
if ($address =~ /(\w[\-\w_\.]*)@(\w[\-\w_\.]+)/) {
push @addresses, "$1\@$2";
} else {
warn "this address ($address) is not valid!";
}
}
foreach $address (@addresses) {