[freeside-commits] freeside/httemplate/config config-process.cgi, 1.20.2.2, 1.20.2.3
Jeff Finucane,420,,
jeff at wavetail.420.am
Wed Jun 23 12:32:35 PDT 2010
Update of /home/cvs/cvsroot/freeside/httemplate/config
In directory wavetail.420.am:/tmp/cvs-serv32589/httemplate/config
Modified Files:
Tag: FREESIDE_1_9_BRANCH
config-process.cgi
Log Message:
backport RT8384 config input validation
Index: config-process.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/config/config-process.cgi,v
retrieving revision 1.20.2.2
retrieving revision 1.20.2.3
diff -u -w -d -r1.20.2.2 -r1.20.2.3
--- config-process.cgi 4 Nov 2009 01:04:36 -0000 1.20.2.2
+++ config-process.cgi 23 Jun 2010 19:32:33 -0000 1.20.2.3
@@ -1,3 +1,30 @@
+%if ( scalar(@error) ) {
+%
+% my $url = popurl(1)."config.cgi";
+% if ( length($cgi->query_string) > 1920 ) { #stupid IE 2083 URL limit
+%
+% my $session = int(rand(4294967296)); #XXX
+% my $pref = new FS::access_user_pref({
+% 'usernum' => $FS::CurrentUser::CurrentUser->usernum,
+% 'prefname' => "redirect$session",
+% 'prefvalue' => $cgi->query_string,
+% 'expiration' => time + 3600, #1h? 1m?
+% });
+% my $pref_error = $pref->insert;
+% if ( $pref_error ) {
+% die "FATAL: couldn't even set redirect cookie: $pref_error".
+% " attempting to set redirect$session to ". $cgi->query_string."\n";
+% }
+%
+<% $cgi->redirect("$url?redirect=$session") %>
+%
+% } else {
+%
+<% $cgi->redirect("$url?". $cgi->query_string ) %>
+%
+% }
+%
+%} else {
<% header('Configuration set') %>
<SCRIPT TYPE="text/javascript">
% my $n = 0;
@@ -61,6 +88,7 @@
</SCRIPT>
</BODY>
</HTML>
+%}
<%once>
#false laziness w/config-view.cgi
my %namecol = (
@@ -83,6 +111,7 @@
my $key = $cgi->param('key');
my $i = $confitems{$key};
+my @error = ();
my @touch = ();
my @delete = ();
my $n = 0;
@@ -92,6 +121,8 @@
if ( $cgi->param($i->key.$n) ne '' ) {
my $value = $cgi->param($i->key.$n);
$value =~ s/\r\n/\n/g; #browsers?
+ my $error = &{$i->validate}($value, $n) if $i->validate;
+ push @error, $error if $error;
$conf->set($i->key, $value, $agentnum);
} else {
$conf->delete($i->key, $agentnum);
@@ -99,6 +130,8 @@
} elsif ( $type eq 'binary' || $type eq 'image' ) {
if ( defined($cgi->param($i->key.$n)) && $cgi->param($i->key.$n) ) {
my $fh = $cgi->upload($i->key.$n);
+ my $error = &{$i->validate}($fh, $n) if $i->validate;
+ push @error, $error if $error;
if (defined($fh)) {
local $/;
$conf->set_binary($i->key, <$fh>, $agentnum);
@@ -118,12 +151,16 @@
|| $i->multiple )
) {
if ( scalar(@{[ $cgi->param($i->key.$n) ]}) ) {
+ my $error = &{$i->validate}([ $cgi->param($i->key.$n) ], $n) if $i->validate;
+ push @error, $error if $error;
$conf->set($i->key, join("\n", @{[ $cgi->param($i->key.$n) ]} ), $agentnum);
} else {
$conf->delete($i->key, $agentnum);
}
} elsif ( $type =~ /^(text|select(-(sub|part_svc|part_pkg|pkg_class))?)$/ ) {
if ( $cgi->param($i->key.$n) ne '' ) {
+ my $error = &{$i->validate}($cgi->param($i->key.$n), $n) if $i->validate;
+ push @error, $error if $error;
$conf->set($i->key, $cgi->param($i->key.$n), $agentnum);
} else {
$conf->delete($i->key, $agentnum);
@@ -135,4 +172,8 @@
$conf->touch($_, $agentnum) foreach @touch;
$conf->delete($_, $agentnum) foreach @delete;
+if (scalar(@error)) {
+ $cgi->param('error', join(' ', @error));
+}
+
</%init>
More information about the freeside-commits
mailing list