Opened 18 years ago
Last modified 18 years ago
#1259 confirmed Bug
Perl connector does not conform to our standards
| Reported by: | Wiktor Walc | Owned by: | |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | Server : Perl | Version: | |
| Keywords: | Cc: |
Description
Each connector uses it's own config file, perl's not. And correct me if I'm wrong, it contains a possible security hole here:
if($FORM{'ServerPath'} ne "") {
$GLOBALS{'UserFilesPath'} = $FORM{'ServerPath'};
if(!($GLOBALS{'UserFilesPath'} =~ /\/$/)) {
$GLOBALS{'UserFilesPath'} .= '/' ;
}
} else {
$GLOBALS{'UserFilesPath'} = '/userfiles/';
}
by sending malformed ServerPath we can make some bad things. I think that it would be good to adjust perl connector to our standards (so that ServerPath could be defined in cofig file, not as a part of url) and btw. it would be good to make it's own page in http://wiki.fckeditor.net/ (Integration section).
Change History (2)
comment:1 Changed 18 years ago by
| Component: | File Browser → Server : Perl |
|---|
comment:2 Changed 18 years ago by
| Keywords: | Confirmed added |
|---|
Note: See
TracTickets for help on using
tickets.
