X-Git-Url: https://git.treefish.org/fex.git/blobdiff_plain/cdeb354c4dbb11b683f9f8c5db2861f3dc572c61..refs/heads/master:/lib/dop diff --git a/lib/dop b/lib/dop index dc92d70..4a6ece0 100755 --- a/lib/dop +++ b/lib/dop @@ -8,11 +8,11 @@ # use File::Basename; -use CGI::Carp qw(fatalsToBrowser); use Fcntl qw(:flock :seek :mode); use POSIX qw(strftime locale_h); use Cwd qw(getcwd abs_path); use utf8; +# use CGI::Carp qw(fatalsToBrowser); # import from fex.pp our ($bs,$tmpdir,@doc_dirs); @@ -126,10 +126,16 @@ sub http_output { foreach (@files) { if (/^\// or /\.\.\//) { # absolute path or relative path with parent directory is not allowed + errorlog("$streamfile: $_ is not allowed for streaming"); + http_error(403); + } + unless (-e $_) { + errorlog("$streamfile: $_ does not exist"); http_error(403); } if (@s = stat($_) and not($s[2] & S_IRGRP) or not -r $_) { # file must be readable by user and group + errorlog("$streamfile: $_ is not readable by user and group"); http_error(403); } } @@ -238,8 +244,10 @@ sub http_output { } else { # eval code with output substitution local $__ = ''; + local $^W = 0; tie *STDOUT => "Buffer",\$__; - $__ .= eval('package DOP;' . $pc); + my $r .= eval('package DOP;' . $pc); + $__ .= $r if $pc !~ /;\s*$/; untie *STDOUT; last if $timeout; $dynamic = $htmldoc =~ s/<<(.+?)>>/$__/s; @@ -603,7 +611,7 @@ sub out { return ''; } -# tie STDOUT to buffer variable (redefining print) +# tie STDOUT to buffer variable (redefining print and printf) package Buffer; sub TIEHANDLE {