Kouhei Sutou
kou****@cozmi*****
2004年 4月 7日 (水) 11:53:02 JST
須藤です. In <20040****@cozmi*****> "[Hiki-dev:00525] history プラグインが $SAFE=1 で動作しない" on Wed, 07 Apr 2004 11:47:49 +0900 (JST), Kouhei Sutou <kou****@cozmi*****> wrote: > Kernel#`の引数は,どこでuntaintするのがよいのかわかりません > が,こんな感じでいかがでしょうか? すいません.untaintし忘れている箇所がありました. # だまってhistory_exec_commandの引数をuntaintした方がいいの # かしら. -------------- next part -------------- Index: misc/plugin/history.rb =================================================================== RCS file: /cvsroot/hiki/hiki/misc/plugin/history.rb,v retrieving revision 1.2 diff -u -p -r1.2 history.rb --- misc/plugin/history.rb 1 Mar 2004 09:50:45 -0000 1.2 +++ misc/plugin/history.rb 7 Apr 2004 02:50:19 -0000 @@ -123,7 +123,7 @@ module Hiki # Subroutine to invoke external command using `` sequence. def history_exec_command (cmd_string) cmdlog = '' - oldpwd = Dir.pwd + oldpwd = Dir.pwd.untaint begin Dir.chdir( "#{$pages_path}" ) # うーん... まあとりあえず。 @@ -164,9 +164,9 @@ module Hiki # make command string case history_repos_type when 'cvs' - hstcmd = "cvs -Q -d #{history_repos_root} log #{@p.escape}" + hstcmd = "cvs -Q -d #{history_repos_root} log #{@p.escape.untaint}" when 'svn' - hstcmd = "svn log #{@p.escape}" + hstcmd = "svn log #{@p.escape.untaint}" else return history_output(history_not_supported_label) end @@ -278,11 +278,11 @@ module Hiki when 'cvs' revopt = "-r 1.#{r.to_i}" revopt = "-r 1.#{r2.to_i} -r 1.#{r.to_i}" unless r2.nil? || r2.to_i == 0 - hstcmd = "cvs -Q -d #{history_repos_root} diff -u #{revopt} #{@p.escape}" + hstcmd = "cvs -Q -d #{history_repos_root} diff -u #{revopt} #{@p.escape.untaint}" when 'svn' revopt = "#{r.to_i}" revopt = "#{r2.to_i}:#{r.to_i}" unless r2.nil? || r2.to_i == 0 - hstcmd = "svn diff -r #{revopt} #{@p.escape}" + hstcmd = "svn diff -r #{revopt} #{@p.escape.untaint}" else return history_output(history_not_supported_label) end
