RT 4.0.22

[freeside.git] / rt / bin / webmux.pl

diff --git a/rt/bin/webmux.pl b/rt/bin/webmux.pl
old mode 100755 (executable)
new mode 100644 (file)
index 35ef4db..8ce68ca
--- a/rt/bin/webmux.pl
+++ b/rt/bin/webmux.pl
@@ -1,4 +1,4 @@
-#!/Users/falcone/perl5/perlbrew/bin/perl
+#!/usr/bin/perl
 # BEGIN BPS TAGGED BLOCK {{{
 #
 # COPYRIGHT:
@@ -73,7 +73,8 @@ sub handler {
         # and make all system() and open "|-" dangerouse, for example DBI
         # can get this FD for DB connection and system() call will close
         # by putting grabage into the socket
-        open $protect_fd, '>/dev/null' or die "Couldn't open /dev/null: $!";
+        open( $protect_fd, '>', '/dev/null' )
+          or die "Couldn't open /dev/null: $!";
         unless ( fileno($protect_fd) == 1 ) {
             warn "We opened /dev/null to protect FD #1, but descriptor #1 is already occupied";
         }
@@ -93,6 +94,20 @@ sub handler {
 
     RT::ConnectToDatabase();
 
+    # none of the methods in $r gives us the information we want (most
+    # canonicalize /foo/../bar to /bar which is exactly what we want to avoid)
+    my (undef, $requested) = split ' ', $r->the_request, 3;
+    my $uri = URI->new("http://".$r->hostname.$requested);
+    my $path = URI::Escape::uri_unescape($uri->path);
+
+    ## Each environment has its own way of handling .. and so on in paths,
+    ## so RT consistently forbids such paths.
+    if ( $path =~ m{/\.} ) {
+        $RT::Logger->crit("Invalid request for ".$path." aborting");
+        RT::Interface::Web::Handler->CleanupRequest();
+        return 400;
+    }
+
     my (%session, $status);
     {
         local $@;
@@ -121,7 +136,7 @@ CGI->import(qw(-private_tempfiles));
 # fix lib paths, some may be relative
 BEGIN {
     require File::Spec;
-    my @libs = ("lib", "local/lib");
+    my @libs = ("/opt/rt3/lib", "/opt/rt3/local/lib");
     my $bin_path;
 
     for my $lib (@libs) {