[whimsy.git] [26/50] Commit 304c949: Two bug fixes:

[Sam Ruby]

Commit 304c9498c15c8edf1f506a46881eafe3876e9c61:
    Two bug fixes:
      1) Untaint source of move, if present
      2) use USER instead of user in audit log to prevent collisions with CGI 
param
    git-svn-id: 
https://svn.apache.org/repos/infra/infrastructure/trunk/projects/whimsy@819798 
90ea9780-b833-de11-8433-001ec94261de


Branch: refs/heads/master
Author: Sam Ruby <ru...@apache.org>
Committer: Sam Ruby <ru...@apache.org>
Pusher: rubys <ru...@apache.org>

------------------------------------------------------------
www/secretary/workbench/file.cgi                             | ++++++++++ ----
------------------------------------------------------------
14 changes: 10 additions, 4 deletions.
------------------------------------------------------------


diff --git a/www/secretary/workbench/file.cgi b/www/secretary/workbench/file.cgi
index 966c434..e00d120 100755
--- a/www/secretary/workbench/file.cgi
+++ b/www/secretary/workbench/file.cgi
@@ -120,7 +120,13 @@ end
 
 class Wunderbar::XmlMarkup
   def move source, dest
-    source = File.expand_path(source, RECEIVED)
+    if Dir.chdir(RECEIVED) {Dir['*']}.include? source.chomp('/')
+      @_builder.tag! :pre, "svn mv #{source.inspect} #{dest}", class: 'stdin'
+      @_builder.tag! "File #{source} doesn't exist.", class: 'stderr'
+      return
+    end
+
+    source = File.expand_path(source, RECEIVED).untaint
     source += svn_at(source)
 
     if File.exist?(dest) and !File.directory?(dest)
@@ -437,7 +443,7 @@ _html do
     File.open "#{RECEIVED}/activity.yml", File::RDWR|File::CREAT, 0644 do 
|file|
       file.flock File::LOCK_EX
       activity_log = YAML.load(file.read) || []
-      activity_log.unshift({'user' => $USER, 'time' => Time.now.utc}.
+      activity_log.unshift({'USER' => $USER, 'time' => Time.now.utc}.
         merge(Hash[params.map {|key,value| [key,value.first]}]))
       file.rewind
       file.write YAML.dump(activity_log[0...5])
@@ -808,11 +814,11 @@ _html do
         end
         _tbody do
           activity_log[1..-1].each do |entry|
-            collision = (entry['user'] != $USER and not entry['user'].empty?)
+            collision = (entry['USER'] != $USER)
             collision &&= (Time.now-entry['time'] < 600)
             _tr_ class: ('collision' if collision) do
               _td entry.delete('time')
-              _td entry.delete('user')
+              _td entry.delete('USER')
               if entry['action']
                 _td entry.delete('action')
               elsif entry['doctype'] == 'other'