From f01fe96a27912381d4b30ccad3d355d74f76f505 Mon Sep 17 00:00:00 2001 From: ivan Date: Thu, 24 Aug 2000 07:26:50 +0000 Subject: [PATCH] untaint template source --- TODO | 5 ++++- fs_signup/FS-SignupClient/cgi/signup.cgi | 18 +++++++++++++----- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/TODO b/TODO index f95014bfc..7241c49cd 100644 --- a/TODO +++ b/TODO @@ -1,4 +1,4 @@ -$Id: TODO,v 1.49 2000-08-09 11:30:40 ivan Exp $ +$Id: TODO,v 1.50 2000-08-24 07:26:50 ivan Exp $ If you are interested in helping with any of these, please join the *development* mailing list (send a blank message to @@ -6,6 +6,9 @@ ivan-freeside-devel-subscribe@sisd.com) to avoid duplication of effort. --- +"first package" and email invoice (?) not sticky on errors in new/edit customer +screen. + http://www.ipmeter.com/ integration would be useful http://tangram.sourceforge.net/ diff --git a/fs_signup/FS-SignupClient/cgi/signup.cgi b/fs_signup/FS-SignupClient/cgi/signup.cgi index 839ad333d..7576b8b42 100755 --- a/fs_signup/FS-SignupClient/cgi/signup.cgi +++ b/fs_signup/FS-SignupClient/cgi/signup.cgi @@ -1,6 +1,6 @@ #!/usr/bin/perl -Tw # -# $Id: signup.cgi,v 1.7 2000-05-10 23:57:57 ivan Exp $ +# $Id: signup.cgi,v 1.8 2000-08-24 07:26:50 ivan Exp $ use strict; use vars qw( @payby $cgi $locales $packages $pops $r $error @@ -29,14 +29,22 @@ $ieak_file = '/usr/local/freeside/ieak.template'; $cck_file = '/usr/local/freeside/cck.template'; if ( -e $ieak_file ) { - $ieak_template = new Text::Template ( TYPE => 'FILE', SOURCE => $ieak_file ) - or die "Couldn't construct template: $Text::Template::ERROR"; + my $ieak_txt = Text::Template::_load_text($ieak_file) + or die $Text::Template::ERROR; + $ieak_txt =~ /^(.*)$/s; #untaint the template source - it's trusted + $ieak_txt = $1; + $ieak_template = new Text::Template ( TYPE => 'STRING', SOURCE => $ieak_txt ) + or die $Text::Template::ERROR; } else { $ieak_template = ''; } if ( -e $cck_file ) { - $cck_template = new Text::Template ( TYPE => 'FILE', SOURCE => $cck_file ) - or die "Couldn't construct template: $Text::Template::ERROR"; + my $cck_txt = Text::Template::_load_text($cck_file) + or die $Text::Template::ERROR; + $cck_txt =~ /^(.*)$/s; #untaint the template source - it's trusted + $cck_txt = $1; + $cck_template = new Text::Template ( TYPE => 'STRING', SOURCE => $cck_txt ) + or die $Text::Template::ERROR; } else { $cck_template = ''; } -- 2.11.0