oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fixed #8980: possible to execute arbitrary perl code as any user that can upload files

Browse source
This commit is contained in:
Graham Knop 2008-10-27 23:41:38 +00:00
parent 7d33b9fab8
commit b57b632810
2 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
lib/WebGUI/Asset.pm
View file

@ -1522,12 +1522,15 @@ sub isValidRssItem { 1 }
=head2 loadModule ( $session, $className )
Loads an asset module if it's not already in memory. This is a class method. Returns undef on failure to load, otherwise returns the classname.
Loads an asset module if it's not already in memory. This is a class method. Returns undef on failure to load, otherwise returns the classname. Will only load classes in the WebGUI::Asset namespace.
=cut
sub loadModule {
my ($class, $session, $className) = @_;
if ($className !~ /^WebGUI::Asset(?:$|::)/ ) {
return undef;
}
(my $module = $className . '.pm') =~ s{::|'}{/}g;
if (eval { require $module; 1 }) {
return $className;