Allow curly braces to be used in pagespecs
And avoid a whole class of potential security problems (though none that I know of actually existing..), by avoiding performing any string interpolation on user-supplied data when translating pagespecs.master
Joey Hess
parent
0516ba04d0
commit
23a4ee6d15
16
IkiWiki.pm
16
IkiWiki.pm
|
|
@ -1678,12 +1678,6 @@ sub rcs_receive () {
|
|||
$hooks{rcs}{rcs_receive}{call}->();
|
||||
}
|
||||
|
||||
sub safequote ($) {
|
||||
my $s=shift;
|
||||
$s=~s/[{}]//g;
|
||||
return "q{$s}";
|
||||
}
|
||||
|
||||
sub add_depends ($$) {
|
||||
my $page=shift;
|
||||
my $pagespec=shift;
|
||||
|
|
@ -1785,6 +1779,7 @@ sub pagespec_translate ($) {
|
|||
|
||||
# Convert spec to perl code.
|
||||
my $code="";
|
||||
my @data;
|
||||
while ($spec=~m{
|
||||
\s* # ignore whitespace
|
||||
( # 1: match a single word
|
||||
|
|
@ -1812,14 +1807,17 @@ sub pagespec_translate ($) {
|
|||
}
|
||||
elsif ($word =~ /^(\w+)\((.*)\)$/) {
|
||||
if (exists $IkiWiki::PageSpec::{"match_$1"}) {
|
||||
$code.="IkiWiki::PageSpec::match_$1(\$page, ".safequote($2).", \@_)";
|
||||
push @data, $2;
|
||||
$code.="IkiWiki::PageSpec::match_$1(\$page, \$data[$#data], \@_)";
|
||||
}
|
||||
else {
|
||||
$code.="IkiWiki::ErrorReason->new(".safequote(qq{unknown function in pagespec "$word"}).")";
|
||||
push @data, qq{unknown function in pagespec "$word"};
|
||||
$code.="IkiWiki::ErrorReason->new(\$data[$#data])";
|
||||
}
|
||||
}
|
||||
else {
|
||||
$code.=" IkiWiki::PageSpec::match_glob(\$page, ".safequote($word).", \@_)";
|
||||
push @data, $word;
|
||||
$code.=" IkiWiki::PageSpec::match_glob(\$page, \$data[$#data], \@_)";
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -6,6 +6,9 @@ ikiwiki (3.13) UNRELEASED; urgency=low
|
|||
of other underlays via add_underlay.
|
||||
* More friendly display of markdown, textile in edit form selector
|
||||
(jmtd)
|
||||
* Allow curly braces to be used in pagespecs, and avoid a whole class
|
||||
of potential security problems, by avoiding performing any string
|
||||
interpolation on user-supplied data when translating pagespecs.
|
||||
|
||||
-- Joey Hess <joeyh@debian.org> Wed, 06 May 2009 20:45:44 -0400
|
||||
|
||||
|
|
|
|||
|
|
@ -35,6 +35,6 @@ More tests:
|
|||
> * Avoid exposing user input to interpolation as a string. One
|
||||
> way that comes to mind is to have a local string lookup hash,
|
||||
> and insert each user specified string into it, then use the hash
|
||||
> to lookup the specified strings at runtime.
|
||||
> to lookup the specified strings at runtime. [[done]]
|
||||
>
|
||||
> --[[Joey]]
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/perl
|
||||
use warnings;
|
||||
use strict;
|
||||
use Test::More tests => 51;
|
||||
use Test::More tests => 53;
|
||||
|
||||
BEGIN { use_ok("IkiWiki"); }
|
||||
|
||||
|
|
@ -28,6 +28,8 @@ ok(pagespec_match("a/foo", "./*", "a/b"), "relative oldstyle call");
|
|||
ok(pagespec_match("foo", "./*", location => "a"), "relative toplevel");
|
||||
ok(pagespec_match("foo/bar", "*", location => "baz"), "absolute");
|
||||
ok(! pagespec_match("foo", "foo and bar"), "foo and bar");
|
||||
ok(pagespec_match("{f}oo", "{*}*"), "curly match");
|
||||
ok(! pagespec_match("foo", "{*}*"), "curly !match");
|
||||
|
||||
# The link and backlink stuff needs this.
|
||||
$config{userdir}="";
|
||||
|
|
|
|||
Loading…
Reference in New Issue