From: joy <>
Date: Sun, 28 Jan 2001 05:46:27 +0000 (-0800)
Subject: [project @ 2001-01-27 21:46:27 by joy]
X-Git-Tag: release/2.6.0~1162
X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=2b96f2d812efca32e3baf3caa9e0f5a09917b03f;p=debbugs.git

[project @ 2001-01-27 21:46:27 by joy]
check for crap in the variable that gets passed to the shell
---

diff --git a/scripts/service.in b/scripts/service.in
index 08a8f35..5c6e641 100755
--- a/scripts/service.in
+++ b/scripts/service.in
@@ -1,5 +1,5 @@
 #!/usr/bin/perl
-# $Id: service.in,v 1.31 2000/11/22 10:02:51 joy Exp $
+# $Id: service.in,v 1.32 2001/01/27 21:46:27 joy Exp $
 #
 # Usage: service <code>.nn
 # Temps:  incoming/P<code>.nn
@@ -821,6 +821,11 @@ END
 
 sub sendlynxdocraw {
     local ($relpath,$description) = @_;
+# check for crap in $relpath
+    if ($relpath =~ m/^\./ || $relpath !~ m/^[\d\w-+.@]+$/) {
+      &transcript("Invalid request $relpath!\n");
+      return;
+    }
     $doc='';
     open(L,"lynx -nolist -dump http://$gWebDomain/$relpath 2>&1 |") || &quit("fork for lynx: $!");
     while(<L>) { $doc.=$_; }