X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=blobdiff_plain;f=rt%2Fbin%2Fwebmux.pl.in;h=7aae041b3d844a4189802fc6ce0d95b50b9b92b8;hp=8086177afdddcec560e0ec4d75acee7032fc1857;hb=75162bb14b3e38d66617077843f4dfdcaf09d5c4;hpb=fc6209f398899f0211cfcedeb81a3cd65e04a941

diff --git a/rt/bin/webmux.pl.in b/rt/bin/webmux.pl.in
index 8086177af..7aae041b3 100644
--- a/rt/bin/webmux.pl.in
+++ b/rt/bin/webmux.pl.in
@@ -73,7 +73,8 @@ sub handler {
         # and make all system() and open "|-" dangerouse, for example DBI
         # can get this FD for DB connection and system() call will close
         # by putting grabage into the socket
-        open $protect_fd, '>/dev/null' or die "Couldn't open /dev/null: $!";
+        open( $protect_fd, '>', '/dev/null' )
+          or die "Couldn't open /dev/null: $!";
         unless ( fileno($protect_fd) == 1 ) {
             warn "We opened /dev/null to protect FD #1, but descriptor #1 is already occupied";
         }
@@ -93,6 +94,20 @@ sub handler {
 
     RT::ConnectToDatabase();
 
+    # none of the methods in $r gives us the information we want (most
+    # canonicalize /foo/../bar to /bar which is exactly what we want to avoid)
+    my (undef, $requested) = split ' ', $r->the_request, 3;
+    my $uri = URI->new("http://".$r->hostname.$requested);
+    my $path = URI::Escape::uri_unescape($uri->path);
+
+    ## Each environment has its own way of handling .. and so on in paths,
+    ## so RT consistently forbids such paths.
+    if ( $path =~ m{/\.} ) {
+        $RT::Logger->crit("Invalid request for ".$path." aborting");
+        RT::Interface::Web::Handler->CleanupRequest();
+        return 400;
+    }
+
     my (%session, $status);
     {
         local $@;