From b57b632810e253e8ca34d534020a57717f6b1331 Mon Sep 17 00:00:00 2001 From: Graham Knop Date: Mon, 27 Oct 2008 23:41:38 +0000 Subject: [PATCH] fixed #8980: possible to execute arbitrary perl code as any user that can upload files --- docs/changelog/7.x.x.txt | 1 + lib/WebGUI/Asset.pm | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt index e76375792..fef8aee21 100644 --- a/docs/changelog/7.x.x.txt +++ b/docs/changelog/7.x.x.txt @@ -1,4 +1,5 @@ 7.6.2 + - fixed #8980: possible to execute arbitrary perl code as any user that can upload files - added extras to user profile fields. these can be accessed using the profile.form.element.extras template variable when editing a profile and the profile.extras field when viewing a profile. diff --git a/lib/WebGUI/Asset.pm b/lib/WebGUI/Asset.pm index 828b64790..2687b8363 100644 --- a/lib/WebGUI/Asset.pm +++ b/lib/WebGUI/Asset.pm @@ -1522,12 +1522,15 @@ sub isValidRssItem { 1 } =head2 loadModule ( $session, $className ) -Loads an asset module if it's not already in memory. This is a class method. Returns undef on failure to load, otherwise returns the classname. +Loads an asset module if it's not already in memory. This is a class method. Returns undef on failure to load, otherwise returns the classname. Will only load classes in the WebGUI::Asset namespace. =cut sub loadModule { my ($class, $session, $className) = @_; + if ($className !~ /^WebGUI::Asset(?:$|::)/ ) { + return undef; + } (my $module = $className . '.pm') =~ s{::|'}{/}g; if (eval { require $module; 1 }) { return $className;