summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorAndreas Brachold <vdr07@deltab.de>2007-12-16 19:54:08 +0000
committerAndreas Brachold <vdr07@deltab.de>2007-12-16 19:54:08 +0000
commitab1a628220ec6e780613c7a88e75e53779ce0233 (patch)
treeeb83ed2e76f841e082d7b2156a27c4ce0456c03e /lib
parente74bdb7184b4e72ae58c5175464ef6a3db96aff7 (diff)
downloadxxv-ab1a628220ec6e780613c7a88e75e53779ce0233.tar.gz
xxv-ab1a628220ec6e780613c7a88e75e53779ce0233.tar.bz2
* HTTPD: Block recursive file access
* HTTPD: Fix typo at binary access
Diffstat (limited to 'lib')
-rw-r--r--lib/XXV/MODULES/HTTPD.pm10
-rw-r--r--lib/XXV/OUTPUT/Ajax.pm2
2 files changed, 8 insertions, 4 deletions
diff --git a/lib/XXV/MODULES/HTTPD.pm b/lib/XXV/MODULES/HTTPD.pm
index 1c96df7..22f31b1 100644
--- a/lib/XXV/MODULES/HTTPD.pm
+++ b/lib/XXV/MODULES/HTTPD.pm
@@ -271,6 +271,9 @@ sub communicator
if(($data->{Request} eq '/' or $data->{Request} =~ /\.html$/) and not $data->{Query}) {
# Send the first page (index.html)
my $page = $data->{Request};
+ $page =~ s/\.\.\///g;
+ $page =~ s/\/\.\.//g;
+ $page =~ s/\/+/\//g;
if($page eq '/') {
if(-r sprintf('%s/index.tmpl', $htmlRootDir)) {
$console->index;
@@ -283,6 +286,9 @@ sub communicator
} elsif(my $typ = $mime->{lc((split('\.', $data->{Request}))[-1])}) {
# Send multimedia files (this must registered in $mime!)
my $request = $data->{Request};
+ $request =~ s/\.\.\///g;
+ $request =~ s/\/\.\.//g;
+ $request =~ s/\/+/\//g;
if($request =~ /epgimages\//) {
my $epgMod = main::getModule('EPG');
if($epgMod) {
@@ -309,7 +315,7 @@ sub communicator
} else {
$obj->handleInput($watcher, $console, $cgi);
$console->footer()
- unless($console->typ eq 'AJAX'
+ unless($console->{TYP} eq 'AJAX'
or $console->{noFooter});
}
@@ -472,7 +478,7 @@ sub handleInput {
if($cmdobj and not $shorterr) {
if($cmdobj->{binary}) {
- $console->{NoFooter} = 1;
+ $console->{noFooter} = 1;
$console->{nocache} = 1
if($cmdobj->{binary} eq 'nocache');
}
diff --git a/lib/XXV/OUTPUT/Ajax.pm b/lib/XXV/OUTPUT/Ajax.pm
index 7e07794..296b23a 100644
--- a/lib/XXV/OUTPUT/Ajax.pm
+++ b/lib/XXV/OUTPUT/Ajax.pm
@@ -91,8 +91,6 @@ sub new {
$self->{TYP} = 'AJAX';
- $self->{CMDSTAT} = undef;
-
return $self;
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-11 22:06:02 +0000