oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix possible vulnerability loading template parser

Browse source
This commit is contained in:
Doug Bell 2010-08-11 15:37:04 -05:00
parent 0f475dd013
commit 4e9a2c07c2
3 changed files with 47 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

22
lib/WebGUI/Asset/Template.pm
View file

@ -21,6 +21,7 @@ use WebGUI::Asset::Template::HTMLTemplate;
use WebGUI::Utility;
use WebGUI::Form;
use WebGUI::Exception;
use List::MoreUtils qw{ any };
use Tie::IxHash;
use Clone qw/clone/;
use HTML::Packer;
@ -434,14 +435,23 @@ A parser class to use. Defaults to "WebGUI::Asset::Template::HTMLTemplate"
sub getParser {
my $class = shift;
my $session = shift;
my $parser = shift || $session->config->get("defaultTemplateParser") || "WebGUI::Asset::Template::HTMLTemplate";
my $parser = shift;
if ($parser eq "") {
return WebGUI::Asset::Template::HTMLTemplate->new($session);
} else {
eval("use $parser");
return $parser->new($session);
# If parser is not in the config, throw an error message
if ( $parser && $parser ne $session->config->get('defaultTemplateParser')
&& !any { $_ eq $parser } @{$session->config->get('templateParsers')} ) {
WebGUI::Error::NotInConfig->throw(
error => "Attempted to load template parser '$parser' that is not in config file",
module => $parser,
configKey => 'templateParsers',
);
}
else {
$parser ||= $session->config->get("defaultTemplateParser") || "WebGUI::Asset::Template::HTMLTemplate";
}
WebGUI::Pluggable::load( $parser );
return $parser->new($session);
}
#-------------------------------------------------------------------

5
lib/WebGUI/Exception.pm
View file

@ -58,6 +58,11 @@ use Exception::Class (
isa => 'WebGUI::Error',
description => "A template has errors that prevent it from being processed.",
},
'WebGUI::Error::NotInConfig' => {
isa => 'WebGUI::Error',
description => 'A module was requested that does not exist in the configuration file.',
fields => [qw{ module configKey }],
},
);
sub WebGUI::Error::full_message {