From da5d29f95f6e693e8c14be1b896cf25cf4fdb3c0 Mon Sep 17 00:00:00 2001 From: David Riebenbauer Date: Wed, 3 Feb 2010 06:57:20 +0100 Subject: [PATCH] fix bugs in `find_src_files()`. Use `_` to avoid superfluous stat. Check for `defined $file`, instead of just `$file`. Add spaces after commas. Change return values of `verify_src_file()` to not return the tainted filename. Rename `$f` to `$file_untainted in `verify_src_file()`. $f changes to `$file` in `find_src_files()`. This attempts to fix commit f3abeac919c4736429bd3362af6edf51ede8e7fe. For discussion see --- IkiWiki/Render.pm | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm index d2fa80fbb..5b72b6de1 100644 --- a/IkiWiki/Render.pm +++ b/IkiWiki/Render.pm @@ -284,7 +284,7 @@ sub verify_src_file ($$) { my $file=decode_utf8(shift); my $dir=shift; - return if -l $file || -d $file; + return if -l $file || -d _; $file=~s/^\Q$dir\E\/?//; return if ! length $file; my $page = pagename($file); @@ -294,11 +294,11 @@ sub verify_src_file ($$) { return; } - my ($f) = $file =~ /$config{wiki_file_regexp}/; # untaint - if (! defined $f) { + my ($file_untainted) = $file =~ /$config{wiki_file_regexp}/; # untaint + if (! defined $file_untainted) { warn(sprintf(gettext("skipping bad filename %s"), $file)."\n"); } - return ($file,$page,$f); + return ($file_untainted, $page); } sub find_src_files () { @@ -309,8 +309,8 @@ sub find_src_files () { find({ no_chdir => 1, wanted => sub { - my ($file,$page,$f) = verify_src_file($_,$config{srcdir}); - if ($file) { + my ($file, $page) = verify_src_file($_, $config{srcdir}); + if (defined $file) { push @files, $file; if ($pages{$page}) { debug(sprintf(gettext("%s has multiple possible source pages"), $page)); @@ -323,14 +323,14 @@ sub find_src_files () { find({ no_chdir => 1, wanted => sub { - my ($file,$page,$f) = verify_src_file($_,$dir); - if ($f) { + my ($file, $page) = verify_src_file($_, $dir); + if (defined $file) { # avoid underlaydir override # attacks; see security.mdwn - if (! -l "$config{srcdir}/$f" && + if (! -l "$config{srcdir}/$file" && ! -e _) { if (! $pages{$page}) { - push @files, $f; + push @files, $file; $pages{$page}=1; } } -- 2.39.5