| … | |
… | |
| 38 | $safe->reval("\$webworkURLRoot = '$webworkURLRoot'"); |
38 | $safe->reval("\$webworkURLRoot = '$webworkURLRoot'"); |
| 39 | $safe->reval("\$pgRoot = '$pgRoot'"); |
39 | $safe->reval("\$pgRoot = '$pgRoot'"); |
| 40 | $safe->reval("\$courseName = '$courseName'"); |
40 | $safe->reval("\$courseName = '$courseName'"); |
| 41 | |
41 | |
| 42 | # Compile the "include" function with all opcodes available. |
42 | # Compile the "include" function with all opcodes available. |
|
|
43 | # why did this first version work (see the grep pattern?) |
|
|
44 | # my guess it's because the path on webwork.math starts with |
|
|
45 | # /ww/ !!!!!! |
| 43 | my $include = 'sub include { |
46 | # my $include = 'sub include { |
|
|
47 | # my ($file) = @_; |
|
|
48 | # my $fullPath = "'.$webworkRoot.'/$file"; |
|
|
49 | # # This regex matches any string that: |
|
|
50 | # # : begins with ../ |
|
|
51 | # # : ends with /.. |
|
|
52 | # # : contains /../, or |
|
|
53 | # # : is .. |
|
|
54 | # if ($fullPath =~ m!(?:^|/)..(?:/|$)!) { |
|
|
55 | # die "Included file $file has potentially insecure path: contains \"..\""; |
|
|
56 | # } else { |
|
|
57 | # local @INC = (); |
|
|
58 | # do $fullPath; |
|
|
59 | # } |
|
|
60 | # }'; |
|
|
61 | my $include = q[ sub include { |
| 44 | my ($file) = @_; |
62 | my ($file) = @_; |
| 45 | my $fullPath = "'.$webworkRoot.'/$file"; |
63 | my $fullPath = "].$webworkRoot.q[/$file"; |
| 46 | # This regex matches any string that: |
64 | # This regex matches any string that: |
| 47 | # : begins with ../ |
65 | # : begins with ../ |
| 48 | # : ends with /.. |
66 | # : ends with /.. |
| 49 | # : contains /../, or |
67 | # : contains /../, or |
| 50 | # : is .. |
68 | # : is .. |
| 51 | if ($fullPath =~ m!(?:^|/)..(?:/|$)!) { |
69 | if ($fullPath =~ m!(?:^|/)\.\.(?:/|$)!) { |
| 52 | die "Included file $file has potentially insecure path: contains \"..\""; |
70 | die "Included file $file has potentially insecure path: contains \"..\""; |
| 53 | } else { |
71 | } else { |
| 54 | local @INC = (); |
72 | local @INC = (); |
| 55 | do $fullPath; |
73 | do $fullPath or die "\n\n Couldn't include $fullPath. Has it been created from a distribution file?\n\n"; |
| 56 | } |
74 | } |
| 57 | }'; |
75 | } ]; |
| 58 | |
76 | |
| 59 | my $maskBackup = $safe->mask; |
77 | my $maskBackup = $safe->mask; |
| 60 | $safe->mask(empty_opset); |
78 | $safe->mask(empty_opset); |
| 61 | $safe->reval($include); |
79 | $safe->reval($include); |
| 62 | $safe->mask($maskBackup); |
80 | $safe->mask($maskBackup); |
Parent Directory
| 
Revision Log
| 
Patch