spamassassin-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From felic...@apache.org
Subject svn commit: r376417 - /spamassassin/trunk/sa-update.raw
Date Thu, 09 Feb 2006 20:11:48 GMT
Author: felicity
Date: Thu Feb  9 12:11:46 2006
New Revision: 376417

URL: http://svn.apache.org/viewcvs?rev=376417&view=rev
Log:
need to untaint updatedir and channel list before using, or else we may get taint errors

Modified:
    spamassassin/trunk/sa-update.raw

Modified: spamassassin/trunk/sa-update.raw
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/sa-update.raw?rev=376417&r1=376416&r2=376417&view=diff
==============================================================================
--- spamassassin/trunk/sa-update.raw (original)
+++ spamassassin/trunk/sa-update.raw Thu Feb  9 12:11:46 2006
@@ -183,7 +183,12 @@
 });
 
 # $opt{'updatedir'} ||= $SA->first_existing_path(@Mail::SpamAssassin::site_rules_path);
-$opt{'updatedir'} ||= $SA->sed_path('__local_state_dir__/spamassassin/__version__');
+if (defined $opt{'updatedir'}) {
+  $opt{'updatedir'} = Mail::SpamAssassin::Util::untaint_file_path($opt{'updatedir'});
+}
+else {
+  $opt{'updatedir'} = $SA->sed_path('__local_state_dir__/spamassassin/__version__');
+}
 
 dbg("generic: sa-update version $VERSION");
 dbg("generic: using update directory: $opt{'updatedir'}");
@@ -261,6 +266,16 @@
     push(@channels, $chan);
   }
   close(CHAN);
+}
+
+# untaint the channel listing
+for(my $ind = 0; $ind < @channels; $ind++) {
+  if ($channels[$ind] =~ /^([a-zA-Z0-9._-]+)$/) {
+    $channels[$ind] = $1;
+  }
+  else {
+    splice @channels, $ind, 1;
+  }
 }
 
 # find GPG in the PATH



Mime
View raw message