Index: openacs-4/packages/acs-api-browser/tcl/acs-api-documentation-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-api-browser/tcl/acs-api-documentation-procs.tcl,v diff -u -r1.27.8.23 -r1.27.8.24 --- openacs-4/packages/acs-api-browser/tcl/acs-api-documentation-procs.tcl 11 Sep 2014 08:01:04 -0000 1.27.8.23 +++ openacs-4/packages/acs-api-browser/tcl/acs-api-documentation-procs.tcl 14 Sep 2014 09:02:41 -0000 1.27.8.24 @@ -1285,7 +1285,6 @@ Returns list of xql files related to tcl script file @param path path and filename from $::acs::rootdir - } { set linkList [list] @@ -1310,6 +1309,35 @@ return $linkList } + + ad_proc -private sanitize_path { {-prefix packages} path } { + + Return a sanitized path. Cleans path from directory traversal + attacks and checks, if someone tries to access content outside + of the specified prefix. + + @return sanitized path + } { + + if {[regsub -all {[.][.]/} $path "" shortened_path]} { + set filename "$::acs::rootdir/$path" + ns_log notice [subst {INTRUDER ALERT:\n\nsomesone tried to snarf '$filename'! + file exists: [file exists $filename] user_id: [ad_conn user_id] peer: [ad_conn peeraddr] + }] + set path $shortened_path + } + + if {![string match "$prefix/*" $path]} { + set filename "$::acs::rootdir/$path" + ns_log notice [subst {INTRUDER ALERT:\n\nsomesone tried to snarf '$filename'! + file exists: [file exists $filename] user_id: [ad_conn user_id] peer: [ad_conn peeraddr] + }] + + set path $prefix/$path + } + + return $path + } } @@ -1343,7 +1371,6 @@ } - # # Local variables: # mode: tcl Index: openacs-4/packages/acs-api-browser/www/content-page-view.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-api-browser/www/content-page-view.tcl,v diff -u -r1.5.4.8 -r1.5.4.9 --- openacs-4/packages/acs-api-browser/www/content-page-view.tcl 11 Sep 2014 08:01:05 -0000 1.5.4.8 +++ openacs-4/packages/acs-api-browser/www/content-page-view.tcl 14 Sep 2014 09:02:41 -0000 1.5.4.9 @@ -48,30 +48,32 @@ } } - - lappend context [file tail $path] +set path [apidoc::sanitize_path $path] -set filename "$::acs::rootdir/$path" - -if {[regsub -all {[.][.]/} $filename "" shortened_filename]} { - ns_log notice "INTRUDER ALERT:\n\nsomesone tried to snarf '$filename'!\n file exists: [file exists $filename]\n user_id: [ad_conn user_id]\n peer: [ad_conn peeraddr]\n" - set filename shortened_filename +if {![file readable $::acs::rootdir/$path] || [file isdirectory $::acs::rootdir/$path]} { + if {[info exists version_id]} { + set kind content + set href [ad_conn package_url]/package-view?[export_vars {version_id {kind procs}}] + set link [subst {

Go back to Package Documentation.}] + } else { + set link [subst {

Go back to API Browser.}] + } + ad_return_warning "No such content page" [subst { + The file '$path' was not found. Maybe the url contains a typo. + $link + }] + return } -if {![file exists $filename] || [file isdirectory $filename]} { - set file_contents "file '$filename' not found" - multirow create xql_links link -} else { - if { $source_p } { - set file_contents [template::util::read_file $filename] - set file_contents [apidoc::tclcode_to_html $file_contents] - } - - template::util::list_to_multirow xql_links [::apidoc::xql_links_list $path] +if { $source_p } { + set file_contents [template::util::read_file $$::acs::rootdir/$path] + set file_contents [apidoc::tclcode_to_html $file_contents] } +template::util::list_to_multirow xql_links [::apidoc::xql_links_list $path] + set title [file tail $path] set script_documentation [api_script_documentation $path] Index: openacs-4/packages/acs-api-browser/www/procs-file-view.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-api-browser/www/procs-file-view.tcl,v diff -u -r1.3.10.7 -r1.3.10.8 --- openacs-4/packages/acs-api-browser/www/procs-file-view.tcl 14 Sep 2014 08:23:42 -0000 1.3.10.7 +++ openacs-4/packages/acs-api-browser/www/procs-file-view.tcl 14 Sep 2014 09:02:41 -0000 1.3.10.8 @@ -31,6 +31,7 @@ } } +set path [apidoc::sanitize_path $path] if {![file readable $::acs::rootdir/$path] || [file isdirectory $::acs::rootdir/$path]} { if {[info exists version_id]} { set kind procs