oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fixed #8980: possible to execute arbitrary perl code as any user that can upload files

Browse source
This commit is contained in:
Graham Knop 2008-10-27 23:41:38 +00:00
parent 7d33b9fab8
commit b57b632810
2 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
docs/changelog/7.x.x.txt
View file

@ -1,4 +1,5 @@
7.6.2 7.6.2
- fixed #8980: possible to execute arbitrary perl code as any user that can upload files
- added extras to user profile fields. these can be accessed using the - added extras to user profile fields. these can be accessed using the
profile.form.element.extras template variable when editing a profile profile.form.element.extras template variable when editing a profile
and the profile.extras field when viewing a profile. and the profile.extras field when viewing a profile.

5
lib/WebGUI/Asset.pm
View file

@ -1522,12 +1522,15 @@ sub isValidRssItem { 1 }
=head2 loadModule ( $session, $className ) =head2 loadModule ( $session, $className )
Loads an asset module if it's not already in memory. This is a class method. Returns undef on failure to load, otherwise returns the classname. Loads an asset module if it's not already in memory. This is a class method. Returns undef on failure to load, otherwise returns the classname. Will only load classes in the WebGUI::Asset namespace.
=cut =cut
sub loadModule { sub loadModule {
my ($class, $session, $className) = @_; my ($class, $session, $className) = @_;
if ($className !~ /^WebGUI::Asset(?:$|::)/ ) {
return undef;
}
(my $module = $className . '.pm') =~ s{::|'}{/}g; (my $module = $className . '.pm') =~ s{::|'}{/}g;
if (eval { require $module; 1 }) { if (eval { require $module; 1 }) {
return $className; return $className;