X-Git-Url: http://git.freeside.biz/gitweb/?a=blobdiff_plain;f=rt%2Fbin%2Fwebmux.pl;h=8ce68ca142507ee1714c43a95bb6de7954584163;hb=5b3efac57771fbc37874a3dd39d3df835cdd6133;hp=35ef4dba4e6e472d3c9e3de3949c541213e94787;hpb=fc6209f398899f0211cfcedeb81a3cd65e04a941;p=freeside.git diff --git a/rt/bin/webmux.pl b/rt/bin/webmux.pl old mode 100755 new mode 100644 index 35ef4dba4..8ce68ca14 --- a/rt/bin/webmux.pl +++ b/rt/bin/webmux.pl @@ -1,4 +1,4 @@ -#!/Users/falcone/perl5/perlbrew/bin/perl +#!/usr/bin/perl # BEGIN BPS TAGGED BLOCK {{{ # # COPYRIGHT: @@ -73,7 +73,8 @@ sub handler { # and make all system() and open "|-" dangerouse, for example DBI # can get this FD for DB connection and system() call will close # by putting grabage into the socket - open $protect_fd, '>/dev/null' or die "Couldn't open /dev/null: $!"; + open( $protect_fd, '>', '/dev/null' ) + or die "Couldn't open /dev/null: $!"; unless ( fileno($protect_fd) == 1 ) { warn "We opened /dev/null to protect FD #1, but descriptor #1 is already occupied"; } @@ -93,6 +94,20 @@ sub handler { RT::ConnectToDatabase(); + # none of the methods in $r gives us the information we want (most + # canonicalize /foo/../bar to /bar which is exactly what we want to avoid) + my (undef, $requested) = split ' ', $r->the_request, 3; + my $uri = URI->new("http://".$r->hostname.$requested); + my $path = URI::Escape::uri_unescape($uri->path); + + ## Each environment has its own way of handling .. and so on in paths, + ## so RT consistently forbids such paths. + if ( $path =~ m{/\.} ) { + $RT::Logger->crit("Invalid request for ".$path." aborting"); + RT::Interface::Web::Handler->CleanupRequest(); + return 400; + } + my (%session, $status); { local $@; @@ -121,7 +136,7 @@ CGI->import(qw(-private_tempfiles)); # fix lib paths, some may be relative BEGIN { require File::Spec; - my @libs = ("lib", "local/lib"); + my @libs = ("/opt/rt3/lib", "/opt/rt3/local/lib"); my $bin_path; for my $lib (@libs) {