diff --git a/docs/changelog/6.x.x.txt b/docs/changelog/6.x.x.txt index 37c7cd74d..f1b93d64b 100644 --- a/docs/changelog/6.x.x.txt +++ b/docs/changelog/6.x.x.txt @@ -10,6 +10,8 @@ - Fixed a pagination bug in the subscription code pagination. - Added a table of contents to the Help system. - Documented the Product Macro and internationalized messages inside of it. + - Fixed a critical security bug. Upgrade to this version immediately if + you're using any other version 6.3 or above. 6.7.5 - Fixed a syntax error in Syndicated Content. diff --git a/lib/WebGUI/Asset.pm b/lib/WebGUI/Asset.pm index 752b7680b..e28165819 100644 --- a/lib/WebGUI/Asset.pm +++ b/lib/WebGUI/Asset.pm @@ -973,7 +973,7 @@ sub new { my $revisionDate = shift || $session{assetRevision}{$assetId}{$session{scratch}{versionTag}||'_'}; unless ($revisionDate) { ($revisionDate) = WebGUI::SQL->quickArray("select max(revisionDate) from assetData where assetId=" - .quote($assetId)." and (status='approved' or status='archived' or tagId=".quote($session{scratch}{versionTag}).") + .quote($assetId)." and (status='approved' or status='archived' or status='pending' or tagId=".quote($session{scratch}{versionTag}).") group by assetData.assetId order by assetData.revisionDate"); $session{assetRevision}{$assetId}{$session{scratch}{versionTag}||'_'} = $revisionDate unless ($session{config}{disableCache}); } @@ -1352,8 +1352,13 @@ Adds a new Asset based upon the class of the current form. Returns the Asset cal sub www_add { my $self = shift; my %prototypeProperties; + my $class = $session{form}{class}; + unless ($class =~ m/^[A-Za-z0-9\:]+$/) { + WebGUI::ErrorHandler::security("tried to call an invalid class ".$class); + return ""; + } if ($session{form}{'prototype'}) { - my $prototype = WebGUI::Asset->new($session{form}{'prototype'},$session{form}{class}); + my $prototype = WebGUI::Asset->new($session{form}{'prototype'},$class); foreach my $definition (@{$prototype->definition}) { # cycle through rather than copying properties to avoid grabbing stuff we shouldn't grab foreach my $property (keys %{$definition->{properties}}) { next if (isIn($property,qw(title menuTitle url isPrototype isPackage))); @@ -1374,10 +1379,10 @@ sub www_add { isHidden => $self->get("isHidden"), startDate => $self->get("startDate"), endDate => $self->get("endDate"), - className=>$session{form}{class}, + className=>$class, assetId=>"new" ); - $properties{isHidden} = 1 unless (WebGUI::Utility::isIn($session{form}{class}, @{$session{config}{assetContainers}})); + $properties{isHidden} = 1 unless (WebGUI::Utility::isIn($class, @{$session{config}{assetContainers}})); my $newAsset = WebGUI::Asset->newByPropertyHashRef(\%properties); $newAsset->{_parent} = $self; return WebGUI::Privilege::insufficient() unless ($newAsset->canAdd); diff --git a/lib/WebGUI/ErrorHandler.pm b/lib/WebGUI/ErrorHandler.pm index 117a19abf..f734bd427 100644 --- a/lib/WebGUI/ErrorHandler.pm +++ b/lib/WebGUI/ErrorHandler.pm @@ -304,7 +304,7 @@ The message you wish to add to the log. sub security { my $message = shift; $Log::Log4perl::caller_depth++; - warn($WebGUI::Session::session{user}{username}." (".$WebGUI::Session::session{user}{userId}.") connecting from " + WebGUI::ErrorHandler::warn($WebGUI::Session::session{user}{username}." (".$WebGUI::Session::session{user}{userId}.") connecting from " .$WebGUI::Session::session{env}{REMOTE_ADDR}." attempted to ".$message); $Log::Log4perl::caller_depth--; }