Item13180: Configure should run if -T enabled.

Need to review the unconditional untainting. Added print of the stack trace when a stripped trace is reported to the user. Save wizard called stripStackTrace, but function name is stripStacktrace
foswiki · Dec 26, 2014 · 8583887 · 8583887
1 parent 03bf93f
commit 8583887
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/core/lib/Foswiki/Configure/Query.pm b/core/lib/Foswiki/Configure/Query.pm
@@ -12,6 +12,7 @@ use Foswiki::Configure::LoadSpec ();
 use Foswiki::Configure::Reporter ();
 use Foswiki::Configure::Checker  ();
 use Foswiki::Configure::Wizard   ();
+use Foswiki::Sandbox             ();
 
 use constant TRACE_CHECK => 0;
 
@@ -41,6 +42,7 @@ sub _getSetParams {
     my ( $params, $root, $reporter ) = @_;
     if ( $params->{set} ) {
         while ( my ( $k, $v ) = each %{ $params->{set} } ) {
+            $v = Foswiki::Sandbox::untaintUnchecked($v);
             if ( defined $v && $v ne '' ) {
                 my $spec  = $root->getValueObject($k);
                 my $value = $v;

diff --git a/core/lib/Foswiki/Configure/Reporter.pm b/core/lib/Foswiki/Configure/Reporter.pm
@@ -341,6 +341,8 @@ sub stripStacktrace {
 
     return '' unless ( length $message );
 
+    print STDERR $message;
+
     my @lines = split( /\n/, $message );
     splice( @lines, KEEP_STACK_LEVELS + 1 );
     return join(

diff --git a/core/lib/Foswiki/Configure/Wizards/Save.pm b/core/lib/Foswiki/Configure/Wizards/Save.pm
@@ -21,6 +21,7 @@ use File::Spec                   ();
 use Foswiki::Configure::Load     ();
 use Foswiki::Configure::LoadSpec ();
 use Foswiki::Configure::FileUtil ();
+use Foswiki::Sandbox             ();
 
 use Foswiki::Configure::Wizard ();
 our @ISA = ('Foswiki::Configure::Wizard');
@@ -230,13 +231,13 @@ sub save {
         while ( my ( $k, $v ) = each %{ $this->param('set') } ) {
             if ( defined $v && $v ne '' ) {
                 my $spec  = $root->getValueObject($k);
-                my $value = $v;
+                my $value = Foswiki::Sandbox::untaintUnchecked($v);
                 if ($spec) {
                     eval { $value = $spec->decodeValue($value) };
                     if ($@) {
                         $reporter->ERROR(
 "SAVE ABORTED: Could not interpret new value for $k: "
-                              . Foswiki::Configure::Reporter::stripStackTrace(
+                              . Foswiki::Configure::Reporter::stripStacktrace(
                                 $@) );
                         return undef;
                     }