Skip to content
This repository was archived by the owner on Apr 7, 2022. It is now read-only.

Commit 71afb9b

Browse files
wilkeswilkes
committed
fixed to run at security level 1
1 parent 87352c3 commit 71afb9b

6 files changed

Lines changed: 10 additions & 8 deletions

File tree

jWebUnit/fitplugin/rubywiki/changes.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111

1212
LINK = "[A-Z][a-z0-9]+([A-Z][a-z0-9]+)+"
1313

14-
datedpages = Dir.entries('pages').select {|e| e =~ /#{LINK}/}
14+
datedpages = Dir.entries('pages').select {|e| e.untaint =~ /#{LINK}/}
1515
datedpages.map! {|e| [File.mtime("pages/#{e}"), e]}
1616
datedpages.sort! { |a,b| b[0] <=> a[0] }
1717

jWebUnit/fitplugin/rubywiki/edit.rb

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313
LINK = "[A-Z][a-z0-9]+([A-Z][a-z0-9]+)+";
1414
MARK = "\263";
1515
page = ENV['QUERY_STRING'] =~ /^(#{LINK})$/ ? $1 : "WelcomeVisitors" # $& is the last match
16+
page.untaint
1617
mode = $_ =~ /append/ ##??????
1718
puts "<!-- #{mode.inspect} -->"
1819

jWebUnit/fitplugin/rubywiki/refcount.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313

1414
LINK = "([A-Z][a-z0-9]+([A-Z][a-z0-9]+)+)";
1515

16-
files = Dir.entries('pages').select {|e| e =~ /#{LINK}/}.sort!
16+
files = Dir.entries('pages').select {|e| e.untaint =~ /#{LINK}/}.sort!
1717

1818
refs = {}
1919
all_targets = []

jWebUnit/fitplugin/rubywiki/save.rb

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
LINK = "[A-Z][a-z0-9]+([A-Z][a-z0-9]+)+";
1313

1414
page = ENV['QUERY_STRING'] =~ /^(#{LINK})$/ ? $1 : "WelcomeVisitors" # $& is the last match
15-
15+
page.untaint
1616
params = CGI.new.params
1717
bodyHash = {}
1818
params.each { |k,v|
@@ -44,7 +44,8 @@
4444

4545
File.open("pages/#{page}", mode) { |f| f.print s }
4646

47-
require 'wiki.rb' # maybe work?
47+
48+
require './wiki.rb' # maybe work?
4849

4950
#my %par;
5051
#$par{title} = "Thank You";

jWebUnit/fitplugin/rubywiki/search.rb

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
LINK = "[A-Z][a-z0-9]+([A-Z][a-z0-9]+)+"
1515

1616
ENV['QUERY_STRING'] =~ /search=([^\&]*)/
17-
target = $1
17+
target = $1.untaint
1818
target.gsub!(/\+/, ' ')
1919
target.gsub!(/\%(..)/) {[$1.hex].pack('C') }
2020

@@ -30,7 +30,7 @@
3030
</form>
3131
EOF
3232

33-
files = Dir.entries('pages').select {|e| e =~ /#{LINK}/}.sort!
33+
files = Dir.entries('pages').select {|e| e.untaint =~ /#{LINK}/}.sort!
3434

3535
hits = 0
3636
files.each do |file|

jWebUnit/fitplugin/rubywiki/wiki.rb

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -145,7 +145,7 @@ def inPlaceUrl(origRef)
145145
print "Content-type: text/html\n\n"
146146

147147
page = ENV['QUERY_STRING'] =~ /^(#{LINK})$/ ? $1 : "WelcomeVisitors" # $& is the last match
148-
148+
page.untaint
149149
par = {}
150150
par['page' ] = page
151151
par['title'] = page.gsub(/(.)([A-Z])/, '\1 \2')
@@ -166,7 +166,7 @@ def inPlaceUrl(origRef)
166166
end
167167

168168
par['summary'] = " -- Last edited #{date}" if date
169-
par['body'] = formatBody(body)
169+
par['body'] = formatBody(body.untaint)
170170
par['action'] = <<-BLAH
171171
<form method=post action="edit.rb?#{page}">
172172
<input type=submit value=" Edit ">

0 commit comments

Comments
 (0)