remove verify_src_file
Splitting out this function bothered me. It is conceptially similar to file_pruned, and yet also very specific to exactly the security needs of find_src_files. I liked that it got rid of duplicate code in the latter function. So instead, put a helper sub in that, which I think allows refactoring things more cleanly, and with less boilerplate. As to the needs of gen_autofile, I'm not convinced this needs to handle the same set of problems that verify_src_file did. So I sat down and wrote a custom validator for autofiles, which turned out to seem to just need three things: Make sure the candidate filename is not something that would be pruned; untaint the candidate filename; and make sure that srcdir doesn't already have something with its name. (Plus, of course, all the other checks that were already in gen_autofile.) (In passing, also fixed a bunch of bugs I had introduced in this branch.)master
Joey Hess
parent
9c8761ba49
commit
034b4e8266
|
|
@ -281,68 +281,59 @@ sub srcdir_check () {
|
|||
|
||||
}
|
||||
|
||||
sub verify_src_file ($$) {
|
||||
my $file=shift;
|
||||
my $dir=shift;
|
||||
|
||||
return if -l $file || -d _;
|
||||
$file=~s/^\Q$dir\E\/?//;
|
||||
return if ! length $file;
|
||||
my $page = pagename($file);
|
||||
if (! exists $pagesources{$page} &&
|
||||
file_pruned($file)) {
|
||||
return;
|
||||
}
|
||||
|
||||
my ($file_untainted) = $file =~ /$config{wiki_file_regexp}/; # untaint
|
||||
if (! defined $file_untainted) {
|
||||
warn(sprintf(gettext("skipping bad filename %s"), $file)."\n");
|
||||
}
|
||||
return ($file_untainted, $page);
|
||||
}
|
||||
|
||||
sub find_src_files () {
|
||||
my @files;
|
||||
my %pages;
|
||||
eval q{use File::Find};
|
||||
error($@) if $@;
|
||||
|
||||
my ($page, $dir, $underlay);
|
||||
my $helper=sub {
|
||||
my $file=decode_utf8($_);
|
||||
|
||||
return if -l $file || -d _;
|
||||
$file=~s/^\Q$dir\E\/?//;
|
||||
return if ! length $file;
|
||||
$page = pagename($file);
|
||||
if (! exists $pagesources{$page} &&
|
||||
file_pruned($file)) {
|
||||
$File::Find::prune=1;
|
||||
return;
|
||||
}
|
||||
|
||||
my ($f) = $file =~ /$config{wiki_file_regexp}/; # untaint
|
||||
if (! defined $f) {
|
||||
warn(sprintf(gettext("skipping bad filename %s"), $file)."\n");
|
||||
}
|
||||
|
||||
if ($underlay) {
|
||||
# avoid underlaydir override attacks; see security.mdwn
|
||||
if (! -l "$config{srcdir}/$f" && ! -e _) {
|
||||
if (! $pages{$page}) {
|
||||
push @files, $f;
|
||||
$pages{$page}=1;
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
push @files, $f;
|
||||
if ($pages{$page}) {
|
||||
debug(sprintf(gettext("%s has multiple possible source pages"), $page));
|
||||
}
|
||||
$pages{$page}=1;
|
||||
}
|
||||
};
|
||||
|
||||
find({
|
||||
no_chdir => 1,
|
||||
wanted => sub {
|
||||
my ($file, $page) = verify_src_file(decode_utf8($_), $config{srcdir});
|
||||
if (defined $file) {
|
||||
push @files, $file;
|
||||
if ($pages{$page}) {
|
||||
debug(sprintf(gettext("%s has multiple possible source pages"), $page));
|
||||
}
|
||||
$pages{$page}=1;
|
||||
}
|
||||
else {
|
||||
$File::Find::prune=1;
|
||||
}
|
||||
},
|
||||
}, $config{srcdir});
|
||||
foreach my $dir (@{$config{underlaydirs}}, $config{underlaydir}) {
|
||||
wanted => $helper,
|
||||
}, $dir=$config{srcdir});
|
||||
$underlay=1;
|
||||
foreach (@{$config{underlaydirs}}, $config{underlaydir}) {
|
||||
find({
|
||||
no_chdir => 1,
|
||||
wanted => sub {
|
||||
my ($file, $page) = verify_src_file(decode_utf8($_), $dir);
|
||||
if (defined $file) {
|
||||
# avoid underlaydir override
|
||||
# attacks; see security.mdwn
|
||||
if (! -l "$config{srcdir}/$file" &&
|
||||
! -e _) {
|
||||
if (! $pages{$page}) {
|
||||
push @files, $file;
|
||||
$pages{$page}=1;
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
$File::Find::prune=1;
|
||||
}
|
||||
},
|
||||
}, $dir);
|
||||
wanted => $helper,
|
||||
}, $dir=$_);
|
||||
};
|
||||
return \@files, \%pages;
|
||||
}
|
||||
|
|
@ -691,24 +682,28 @@ sub gen_autofile ($$$) {
|
|||
my $pages=shift;
|
||||
my $del=shift;
|
||||
|
||||
if (srcfile($autofile, 1)) {
|
||||
return 0;
|
||||
if (srcfile($autofile, 1) || file_pruned($autofile)) {
|
||||
return;
|
||||
}
|
||||
|
||||
my $file="$config{srcdir}/$autofile" =~ /$config{wiki_file_regexp}/; # untaint
|
||||
if (! defined $file || -l $file || -d _ || -e _) {
|
||||
return;
|
||||
}
|
||||
|
||||
my ($file, $page) = verify_src_file("$config{srcdir}/$autofile", $config{srcdir});
|
||||
|
||||
if ((!defined $file) ||
|
||||
(exists $wikistate{$autofiles{$autofile}{plugin}}{autofile_deleted})) {
|
||||
return 0;
|
||||
return;
|
||||
}
|
||||
|
||||
my $page = pagename($file);
|
||||
if ($pages->{$page}) {
|
||||
return 0;
|
||||
return;
|
||||
}
|
||||
|
||||
if (grep { $_ eq $file } @$del) {
|
||||
$wikistate{$autofiles{$autofile}{generator}}{autofile_deleted}=1;
|
||||
return 0;
|
||||
$wikistate{$autofiles{$autofile}{plugin}}{autofile_deleted}=1;
|
||||
return;
|
||||
}
|
||||
|
||||
$autofiles{$autofile}{generator}->();
|
||||
|
|
|
|||
Loading…
Reference in New Issue