diff options
author | bbaetz%student.usyd.edu.au <> | 2002-07-10 08:40:31 +0200 |
---|---|---|
committer | bbaetz%student.usyd.edu.au <> | 2002-07-10 08:40:31 +0200 |
commit | 2a609ad58ffde7e3b03b3fb576c0012e99beba55 (patch) | |
tree | 04949298dda64b7a61cca580dabb469693fda3f8 | |
parent | 75082eeb8e619fdd839593f1e74053ccd7d58137 (diff) | |
download | bugzilla-2a609ad58ffde7e3b03b3fb576c0012e99beba55.tar.gz bugzilla-2a609ad58ffde7e3b03b3fb576c0012e99beba55.tar.xz |
bug 155861 - showdependancygraph.cgi fails taint check with local dot
installation
r=gerv, myk
-rwxr-xr-x | checksetup.pl | 26 | ||||
-rwxr-xr-x | showdependencygraph.cgi | 11 |
2 files changed, 25 insertions, 12 deletions
diff --git a/checksetup.pl b/checksetup.pl index 94172150d..4682359bf 100755 --- a/checksetup.pl +++ b/checksetup.pl @@ -640,8 +640,8 @@ $::ENV{'PATH'} = $origPath; unless (-d 'data') { print "Creating data directory ...\n"; # permissions for non-webservergroup are fixed later on - mkdir 'data', 0770; - mkdir 'data/mimedump-tmp', 01777; + mkdir 'data', 0770; + mkdir 'data/mimedump-tmp', 01777; open FILE, '>>data/comments'; close FILE; open FILE, '>>data/nomail'; close FILE; open FILE, '>>data/mail'; close FILE; @@ -726,7 +726,16 @@ unless (-d 'graphs') { close(IN); close(OUT); - } + } +} + +unless (-d 'data/mining') { + mkdir 'data/mining', 0700; +} + +unless (-d 'data/webdot') { + # perms/ownership are fixed up later + mkdir 'data/webdot', 0700; } if ($my_create_htaccess) { @@ -771,10 +780,6 @@ END chmod $fileperm, "template/.htaccess"; } if (!-e "data/webdot/.htaccess") { - if (!-d "data/webdot") { - mkdir "data/webdot", $dirperm; - chmod $dirperm, "data/webdot"; # the perms on mkdir don't seem to apply for some reason... - } print "Creating data/webdot/.htaccess...\n"; open HTACCESS, ">data/webdot/.htaccess"; print HTACCESS <<'END'; @@ -1073,7 +1078,10 @@ if ($my_webservergroup) { # userid. fixPerms('.htaccess', $<, $webservergid, 027); # glob('*') doesn't catch dotfiles fixPerms('data/.htaccess', $<, $webservergid, 027); + fixPerms('data/duplicates', $<, $webservergid, 027, 1); + fixPerms('data/mining', $<, $webservergid, 027, 1); fixPerms('data/template', $<, $webservergid, 007, 1); # webserver will write to these + fixPerms('data/webdot', $<, $webservergid, 007, 1); fixPerms('data/webdot/.htaccess', $<, $webservergid, 027); fixPerms('data/params', $<, $webservergid, 017); fixPerms('*', $<, $webservergid, 027); @@ -1093,7 +1101,11 @@ if ($my_webservergroup) { my $gid = (split " ", $()[0]; fixPerms('.htaccess', $<, $gid, 022); # glob('*') doesn't catch dotfiles fixPerms('data/.htaccess', $<, $gid, 022); + fixPerms('data/duplicates', $<, $gid, 022, 1); + fixPerms('data/mining', $<, $gid, 022, 1); fixPerms('data/template', $<, $gid, 000, 1); # webserver will write to these + fixPerms('data/webdot', $<, $gid, 000, 1); + chmod 01777, 'data/webdot'; fixPerms('data/webdot/.htaccess', $<, $gid, 022); fixPerms('data/params', $<, $gid, 011); fixPerms('*', $<, $gid, 022); diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi index cf2122540..2a5d20f6c 100755 --- a/showdependencygraph.cgi +++ b/showdependencygraph.cgi @@ -75,8 +75,6 @@ if (!defined($::FORM{'id'}) && !defined($::FORM{'doall'})) { exit; } -mkdir("data/webdot", 0777); - my $filename = "data/webdot/$$.dot"; my $urlbase = Param('urlbase'); @@ -189,10 +187,13 @@ if ($webdotbase =~ /^https?:/) { # Cleanup any old .dot files created from previous runs. my $since = time() - 24 * 60 * 60; -foreach my $f (glob("data/webdot/*.dot - data/webdot/*.png - data/webdot/*.map")) +# Can't use glob, since even calling that fails taint checks for perl < 5.6 +opendir(DIR, "data/webdot/"); +my @files = grep { /\.dot$|\.png$|\.map$/ && -f "data/webdot/$_" } readdir(DIR); +closedir DIR; +foreach my $f (@files) { + $f = "data/webdot/$f"; # Here we are deleting all old files. All entries are from the # data/webdot/ directory. Since we're deleting the file (not following # symlinks), this can't escape to delete anything it shouldn't |