Changeset 176 for trunk/dns.cgi


Ignore:
Timestamp:
12/01/11 14:58:18 (13 years ago)
Author:
Kris Deugau
Message:

/trunk

Remove some more stale commented code
Remove redundant call to initialze $searchsubs
Security review (see #30)

  • set $webvar{page} a little earlier so we don't clutter the session with unusable data
  • tweak initialization of $searchsubs. Improved but will still behave a bit strangely if extra data is deliberately or accidentally added to $webvar{searchsubs} (see #31)
File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/dns.cgi

    r174 r176  
    8383  $session->param('reclistsortby','host');
    8484  $session->param('reclistorder','ASC');
    85 #  $session->param('filter','login');
    86 #  $session->param('startwith','login');
    87 #  $session->param('searchsubs','login');
    8885}
    8986
     
    103100my $curgroup = ($session->param('curgroup') ? $session->param('curgroup') : $logingroup);
    104101
     102# decide which page to spit out...
     103# also set $webvar{page} before we try to use it.
     104$webvar{page} = 'login' if !$webvar{page};
     105
    105106# per-page startwith, filter, searchsubs
    106107
     
    109110# not much call for chars not allowed in domain names
    110111$webvar{filter} =~ s/[^a-zA-Z0-9_.:@-]//g if $webvar{filter};
     112## only set 'y' if box is checked, no other values legal
     113## however, see https://secure.deepnet.cx/trac/dnsadmin/ticket/31
     114# first, drop obvious fakes
     115delete $webvar{searchsubs} if $webvar{searchsubs} && $webvar{searchsubs} !~ /^[ny]/;
     116# strip the known "turn me off!" bit.
     117$webvar{searchsubs} =~ s/^n\s?// if $webvar{searchsubs};
     118# strip non-y/n - note this legitimately allows {searchsubs} to go empty
     119$webvar{searchsubs} =~ s/[^yn]//g if $webvar{searchsubs};
    111120
    112121$session->param($webvar{page}.'startwith', $webvar{startwith}) if defined($webvar{startwith});
    113122$session->param($webvar{page}.'filter', $webvar{filter}) if defined($webvar{filter});
    114 $webvar{searchsubs} =~ s/^n ?// if $webvar{searchsubs};
    115123$session->param($webvar{page}.'searchsubs', $webvar{searchsubs}) if defined($webvar{searchsubs});
    116 
    117 # decide which page to spit out...
    118 # also set $webvar{page} before we try to use it.
    119 $webvar{page} = 'login' if !$webvar{page};
    120124
    121125my $startwith = $session->param($webvar{page}.'startwith');
     
    17411745
    17421746sub listdomains {
    1743 
    1744   $searchsubs = $session->param($webvar{page}.'searchsubs');
    17451747
    17461748# ACLs
Note: See TracChangeset for help on using the changeset viewer.