From f01fe96a27912381d4b30ccad3d355d74f76f505 Mon Sep 17 00:00:00 2001 From: ivan Date: Thu, 24 Aug 2000 07:26:50 +0000 Subject: untaint template source --- fs_signup/FS-SignupClient/cgi/signup.cgi | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) (limited to 'fs_signup/FS-SignupClient/cgi') diff --git a/fs_signup/FS-SignupClient/cgi/signup.cgi b/fs_signup/FS-SignupClient/cgi/signup.cgi index 839ad333d..7576b8b42 100755 --- a/fs_signup/FS-SignupClient/cgi/signup.cgi +++ b/fs_signup/FS-SignupClient/cgi/signup.cgi @@ -1,6 +1,6 @@ #!/usr/bin/perl -Tw # -# $Id: signup.cgi,v 1.7 2000-05-10 23:57:57 ivan Exp $ +# $Id: signup.cgi,v 1.8 2000-08-24 07:26:50 ivan Exp $ use strict; use vars qw( @payby $cgi $locales $packages $pops $r $error @@ -29,14 +29,22 @@ $ieak_file = '/usr/local/freeside/ieak.template'; $cck_file = '/usr/local/freeside/cck.template'; if ( -e $ieak_file ) { - $ieak_template = new Text::Template ( TYPE => 'FILE', SOURCE => $ieak_file ) - or die "Couldn't construct template: $Text::Template::ERROR"; + my $ieak_txt = Text::Template::_load_text($ieak_file) + or die $Text::Template::ERROR; + $ieak_txt =~ /^(.*)$/s; #untaint the template source - it's trusted + $ieak_txt = $1; + $ieak_template = new Text::Template ( TYPE => 'STRING', SOURCE => $ieak_txt ) + or die $Text::Template::ERROR; } else { $ieak_template = ''; } if ( -e $cck_file ) { - $cck_template = new Text::Template ( TYPE => 'FILE', SOURCE => $cck_file ) - or die "Couldn't construct template: $Text::Template::ERROR"; + my $cck_txt = Text::Template::_load_text($cck_file) + or die $Text::Template::ERROR; + $cck_txt =~ /^(.*)$/s; #untaint the template source - it's trusted + $cck_txt = $1; + $cck_template = new Text::Template ( TYPE => 'STRING', SOURCE => $cck_txt ) + or die $Text::Template::ERROR; } else { $cck_template = ''; } -- cgit v1.2.1