whimsical-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sam Ruby <ru...@apache.org>
Subject [whimsy.git] [1/1] Commit 50bf3c9: untaint path in calls to unlink
Date Mon, 11 Jan 2016 16:04:49 GMT
Commit 50bf3c924309624274931b4eb36f2d80ceaa5b6d:
    untaint path in calls to unlink


Branch: refs/heads/master
Author: Sam Ruby <rubys@intertwingly.net>
Committer: Sam Ruby <rubys@intertwingly.net>
Pusher: rubys <rubys@apache.org>

------------------------------------------------------------
www/secmail/views/actions/burst.json.rb                      | + -
www/secmail/views/actions/check-signature.json.rb            | ++ --
www/secmail/views/actions/drop.json.rb                       | +++ ---
------------------------------------------------------------
12 changes: 6 additions, 6 deletions.
------------------------------------------------------------


diff --git a/www/secmail/views/actions/burst.json.rb b/www/secmail/views/actions/burst.json.rb
index 802adeb..082f075 100644
--- a/www/secmail/views/actions/burst.json.rb
+++ b/www/secmail/views/actions/burst.json.rb
@@ -30,7 +30,7 @@
   message.replace_attachment @selected, attachments
 
 ensure
-  source.unlink if source
+  File.unlink source.path.untaint if source
 end
 
 {
diff --git a/www/secmail/views/actions/check-signature.json.rb b/www/secmail/views/actions/check-signature.json.rb
index ab96bd5..5538bf4 100644
--- a/www/secmail/views/actions/check-signature.json.rb
+++ b/www/secmail/views/actions/check-signature.json.rb
@@ -40,8 +40,8 @@
   ignore.each {|re| err.gsub! re, ''}
 
 ensure
-  attachment.unlink if attachment
-  signature.unlink if signature
+  File.unlink attachment.path.untaint if attachment
+  File.unlink signature.path.untaint if signature
 end
 
 {output: out, error: err, rc: rc.exitstatus}
diff --git a/www/secmail/views/actions/drop.json.rb b/www/secmail/views/actions/drop.json.rb
index 830ce73..73c4923 100644
--- a/www/secmail/views/actions/drop.json.rb
+++ b/www/secmail/views/actions/drop.json.rb
@@ -21,9 +21,9 @@
   message.delete_attachment @source
 
 ensure
-  source.unlink if source
-  target.unlink if target
-  output.unlink if output
+  File.unlink source.path.untaint if source
+  File.unlink target.path.untaint if target
+  File.unlink output.path.untaint if output
 end
 
 {attachments: message.attachments, selected: name}

Mime
View raw message