You are viewing a plain text version of this content. The canonical link for it is here.

Posted to axkit-dev@xml.apache.org by ma...@sergeant.org on 2006/08/24 15:33:34 UTC

[SVN] [120] Fixup logic, and security hole :-)

Revision: 120
Author:   matt
Date:     2006-08-24 13:33:14 +0000 (Thu, 24 Aug 2006)

Log Message:
-----------
Fixup logic, and security hole :-)

Modified Paths:
--------------
    trunk/plugins/demo/doc_viewer

Modified: trunk/plugins/demo/doc_viewer
===================================================================
--- trunk/plugins/demo/doc_viewer	2006-08-24 00:06:56 UTC (rev 119)
+++ trunk/plugins/demo/doc_viewer	2006-08-24 13:33:14 UTC (rev 120)
@@ -53,14 +53,20 @@
         my $module = $uri;
         $uri = "lib/$uri" unless $uri =~ /plugins::/;
         $uri =~ s/::/\//g;
-        $uri .= '.pm' if -e "${uri}.pm";
-        $uri .= '.pod' if -e "${uri}.pod";
-        # TODO: fix this huge security hole?
-        $uri = `perldoc -l '$module'`;
+        if    (-e "${uri}.pm") { $uri .= '.pm' }
+        elsif (-e "${uri}.pod") { $uri .= '.pod' }
+        else {
+            die "Invalid module name: $module" if $module =~ /[^\w:]/;
+            chomp($uri = `perldoc -l '$module'`);
+        }
+        if ($uri !~ /\//) {
+            return NOT_FOUND;
+        }
     }
     else {
         # Ignore?
-        die "Unsupported URL: $uri";
+        # die "Unsupported URL: $uri";
+        return NOT_FOUND;
     }
     
     my $builder = XML::LibXML::SAX::Builder->new();