Original release 20160919

[fex.git] / lib / dop

diff --git a/lib/dop b/lib/dop
index dc92d7008fdd07f6a2fb43080ccb06f0a513689b..4a6ece03ec5552468e6ec68fbb2d4e33a290f868 100755 (executable)
--- a/lib/dop
+++ b/lib/dop
@@ -8,11 +8,11 @@
 #
 
 use File::Basename;
-use CGI::Carp  qw(fatalsToBrowser);
 use Fcntl      qw(:flock :seek :mode);
 use POSIX      qw(strftime locale_h);
 use Cwd        qw(getcwd abs_path);
 use utf8;
+# use CGI::Carp        qw(fatalsToBrowser);
 
 # import from fex.pp
 our ($bs,$tmpdir,@doc_dirs);
@@ -126,10 +126,16 @@ sub http_output {
     foreach (@files) {
       if (/^\// or /\.\.\//) {
         # absolute path or relative path with parent directory is not allowed
+        errorlog("$streamfile: $_ is not allowed for streaming");
+        http_error(403);
+      }
+      unless (-e $_) {
+        errorlog("$streamfile: $_ does not exist");
         http_error(403);
       }
       if (@s = stat($_) and not($s[2] & S_IRGRP) or not -r $_) {
         # file must be readable by user and group
+        errorlog("$streamfile: $_ is not readable by user and group");
         http_error(403);
       }
     }
@@ -238,8 +244,10 @@ sub http_output {
         } else {
           # eval code with output substitution
           local $__ = '';
+          local $^W = 0;
           tie *STDOUT => "Buffer",\$__;
-          $__ .= eval('package DOP;' . $pc);
+          my $r .= eval('package DOP;' . $pc);
+          $__ .= $r if $pc !~ /;\s*$/;
           untie *STDOUT;
           last if $timeout;
           $dynamic = $htmldoc =~ s/<<(.+?)>>/$__/s;
@@ -603,7 +611,7 @@ sub out {
   return '';
 }
 
-# tie STDOUT to buffer variable (redefining print)
+# tie STDOUT to buffer variable (redefining print and printf)
 package Buffer;
 
 sub TIEHANDLE {