fix bug in the untainting code by splitting the checks into two parts

one checks for valid characters in a filename the other checks for both valid characters and valid directories as well.
2024-10-13 13:25:37 +00:00 · 2001-08-02 20:06:02 +00:00 · 2001-08-02 20:06:02 +00:00 · 028b162763
commit 028b162763
parent 9ac543bc59
3 changed files with 61 additions and 28 deletions
--- a/webtools/tinderbox2/src/bin/addnote.cgi
+++ b/webtools/tinderbox2/src/bin/addnote.cgi
@ -6,8 +6,8 @@
 #		 on the tinderbox status page.


-# $Revision: 1.7 $ 
-# $Date: 2001/07/20 19:04:47 $ 
+# $Revision: 1.8 $ 
+# $Date: 2001/08/02 20:06:02 $ 
 # $Author: kestes%walrus.com $ 
 # $Source: /home/hwine/cvs_conversion/cvsroot/mozilla/webtools/tinderbox2/src/bin/addnote.cgi,v $ 
 # $Name:  $ 
@ -197,7 +197,7 @@ sub save_note {
                       "/Notice\.Update\.$time\.$MAILADDR"); 

  $update_file =~ s/\@/\./g;
-  $update_file = main::extract_filename_chars($update_file);
+  $update_file = main::extract_safe_filename($update_file);
  
  Persistence::save_structure( 
                             $record,
--- a/webtools/tinderbox2/src/bin/processmail_builds
+++ b/webtools/tinderbox2/src/bin/processmail_builds
@ -12,8 +12,8 @@
 # server.  No locks are used by the mail processes, data is passed to
 # the tinderbox server in a maildir like format.

-# $Revision: 1.6 $ 
-# $Date: 2001/07/20 19:04:49 $ 
+# $Revision: 1.7 $ 
+# $Date: 2001/08/02 20:06:02 $ 
 # $Author: kestes%walrus.com $ 
 # $Source: /home/hwine/cvs_conversion/cvsroot/mozilla/webtools/tinderbox2/src/bin/processmail_builds,v $ 
 # $Name:  $ 
@ -605,22 +605,11 @@ sub process_bloat_data {
  return ;
 }

-
-
-# create the HTML file headers for both the full and brief log
-# files. This must run after the message body has been parsed as some
-# of the data comes from there.
-
-sub log_header {
-  my ($logtype) = @_;
-  
-  my ($out) = '';
-  my ($tree) = $TINDERBOX{'tree'};
-
-  $out .= HTMLPopUp::page_header('title'=>"$logtype Build Log ".
-                                 "for tree: $tree ");
+sub log_links {
+  my ($tree, $logtype) = @_;

  my $notlogtype = ( $logtype eq 'full' ? "brief" : "full");
+  my $out;

  $out .= "\n";
  $out .= "<font size=\"+1\">\n";
@ -641,7 +630,24 @@ sub log_header {
                         );
  $out .= "</font>\n";
  
-  $out .= "\n";
+
+  return $out
+}
+
+# create the HTML file headers for both the full and brief log
+# files. This must run after the message body has been parsed as some
+# of the data comes from there.
+
+sub log_header {
+  my ($logtype) = @_;
+  
+  my ($out) = '';
+  my ($tree) = $TINDERBOX{'tree'};
+
+  $out .= HTMLPopUp::page_header('title'=>"$logtype Build Log ".
+                                 "for tree: $tree ");
+
+  $out .= log_links($tree, $logtype)."\n";
  $out .= "<H2>Build Data</H2>\n";
  
  $out .= "<pre>\n";
@ -659,6 +665,19 @@ sub log_header {

 }

+sub log_footer {
+  my ($logtype) = @_;
+  
+  my ($out) = '';
+  my ($tree) = $TINDERBOX{'tree'};
+
+  $out .= log_links($tree, $logtype)."\n";
+  $out .= "</BODY>\n";
+  $out .= "</HTML>\n";
+
+  return $out;
+}
+

 # create the HTML links for errors this is for both 
 # 1) the $headerline,  which will appear in the error picklist 
@ -819,6 +838,12 @@ sub parse_mail_body {
    die("Could not write to file: '$TMP_FILE{'errorpick'}'. $!\n");

  print ERROR_PICK "<!-- error pick menu -->\n<pre>\n";
+  print ERROR_PICK HTMLPopUp::Link(
+                                   "linktxt"=>"End of Log File", 
+                                   "href"=>"\#EOF",
+                                   ).
+                                   "\n";
+    

  my ($next_err) = 1;
  my ($lines_since_error) = 0;
@ -930,11 +955,15 @@ sub parse_mail_body {
  my ($last_errline) = ("</pre><p>".
                        "<font size=\"+1\">".
                        HTMLPopUp::Link(
-                                   "name"=>"err".($next_err_ref),
-                                   "linktxt"=>"No More Errors", 
-                                   "href"=>"\#err".(1),
-                                  ).
-                        "</font><br>");
+                                        "name"=>"err".($next_err_ref),
+                                        "linktxt"=>"No More Errors", 
+                                        "href"=>"\#err".(1),
+                                        ).
+                        "</font>".
+                        HTMLPopUp::Link(
+                                        "name"=>"EOF",
+                                        ).
+                        "<br>");
  
  print BRIEF $last_errline;
  print FULL  $last_errline;
@ -989,6 +1018,8 @@ sub assemble_files {
      print FULL $line;
    }
    
+    print FULL log_footer('full');
+    
    close(FULL) ||
      die("Could not close file: '$FILE{'full-log'}': waitstaus: $? : $! \n");
    close(TMP_FULL) ||
@ -1017,6 +1048,8 @@ sub assemble_files {
      print BRIEF $line;
    }
    
+    print BRIEF log_footer('brief');
+
    close(BRIEF) ||
      die("Could not close file: '$FILE{'brief-log'}'.\n");
    close(TMP_BRIEF) ||            
--- a/webtools/tinderbox2/src/bin/rmlogs
+++ b/webtools/tinderbox2/src/bin/rmlogs
@ -6,8 +6,8 @@
 #          days set in TinderConfig.  This program should be 
 # 	   run from cron daily.

-# $Revision: 1.6 $ 
-# $Date: 2001/07/20 19:04:49 $ 
+# $Revision: 1.7 $ 
+# $Date: 2001/08/02 20:06:02 $ 
 # $Author: kestes%walrus.com $ 
 # $Source: /home/hwine/cvs_conversion/cvsroot/mozilla/webtools/tinderbox2/src/bin/rmlogs,v $ 
 # $Name:  $ 
@ -71,7 +71,7 @@ sub rm_logfile {
    return 1;

  # untaint path
-  $full_path = extract_filename_chars($full_path);
+  $full_path = main::extract_safe_filename($full_path);

  # save stat info for the file, incase we need it in the future.