Ticket #1259 (confirmed Bug)

Opened 7 years ago

Last modified 6 years ago

Perl connector does not conform to our standards

Reported by: wwalc Owned by:
Priority: Normal Milestone:
Component: Server : Perl Version:
Keywords: Cc:

Description

Each connector uses it's own config file, perl's not. And correct me if I'm wrong, it contains a possible security hole here:

	if($FORM{'ServerPath'} ne "") {
		$GLOBALS{'UserFilesPath'} = $FORM{'ServerPath'};
		if(!($GLOBALS{'UserFilesPath'} =~ /\/$/)) {
			$GLOBALS{'UserFilesPath'} .= '/' ;
		}
	} else {
		$GLOBALS{'UserFilesPath'} = '/userfiles/';
	}

by sending malformed ServerPath we can make some bad things. I think that it would be good to adjust perl connector to our standards (so that ServerPath could be defined in cofig file, not as a part of url) and btw. it would be good to make it's own page in http://wiki.fckeditor.net/ (Integration section).

Change History

comment:1 Changed 7 years ago by alfonsoml

  • Component changed from File Browser to Server : Perl

comment:2 Changed 6 years ago by w.olchawa

  • Keywords Confirmed added
Note: See TracTickets for help on using tickets.
© 2003 – 2012 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy