diff options
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | library/msgcat/msgcat.tcl | 9 | ||||
| -rw-r--r-- | tests/msgcat.test | 22 |
3 files changed, 32 insertions, 5 deletions
@@ -1,3 +1,9 @@ +2004-03-31 Don Porter <dgp@users.sourceforge.net> + + * library/msgcat/msgcat.tcl: Added checks to prevent [mclocale] + * tests/msgcat.test: from registering filesystem paths to possibly + malicious code to be evaluated by a later [mcload]. + 2004-08-10 Zoran Vasiljevic <vasiljevic@users.sf.net> * unix/tclUnixThrd.c (TclpThreadCreate): changed handling of diff --git a/library/msgcat/msgcat.tcl b/library/msgcat/msgcat.tcl index 4db7890..a4cf23e 100644 --- a/library/msgcat/msgcat.tcl +++ b/library/msgcat/msgcat.tcl @@ -10,7 +10,7 @@ # See the file "license.terms" for information on usage and redistribution # of this file, and for a DISCLAIMER OF ALL WARRANTIES. # -# RCS: @(#) $Id: msgcat.tcl,v 1.21 2004/03/31 18:51:33 dgp Exp $ +# RCS: @(#) $Id: msgcat.tcl,v 1.22 2004/08/13 21:39:24 dgp Exp $ package require Tcl 8.5 # When the version number changes, be sure to update the pkgIndex.tcl file, @@ -229,7 +229,12 @@ proc msgcat::mclocale {args} { } if {$len == 1} { - set Locale [string tolower [lindex $args 0]] + set newLocale [lindex $args 0] + if {$newLocale ne [file tail $newLocale]} { + return -code error "invalid newLocale value \"$newLocale\":\ + could be path to unsafe code." + } + set Locale [string tolower $newLocale] set Loclist {} set word "" foreach part [split $Locale _] { diff --git a/tests/msgcat.test b/tests/msgcat.test index 2f37408..6e05d64 100644 --- a/tests/msgcat.test +++ b/tests/msgcat.test @@ -12,15 +12,15 @@ # Note that after running these tests, entries will be left behind in the # message catalogs for locales foo, foo_BAR, and foo_BAR_baz. # -# RCS: @(#) $Id: msgcat.test,v 1.14 2003/10/21 05:10:17 dgp Exp $ +# RCS: @(#) $Id: msgcat.test,v 1.15 2004/08/13 21:39:24 dgp Exp $ package require Tcl 8.2 if {[catch {package require tcltest 2}]} { puts stderr "Skipping tests in [info script]. tcltest 2 required." return } -if {[catch {package require msgcat 1.4}]} { - puts stderr "Skipping tests in [info script]. No msgcat 1.4 found to test." +if {[catch {package require msgcat 1.4.1}]} { + puts stderr "Skipping tests in [info script]. No msgcat 1.4.1 found to test." return } @@ -165,6 +165,22 @@ namespace eval ::msgcat::test { mcpreferences } -result {en_us_funky en_us en {}} + test msgcat-1.12 {mclocale set, reject evil input} -setup { + variable locale [mclocale] + } -cleanup { + mclocale $locale + } -body { + mclocale /path/to/evil/code + } -returnCodes error -match glob -result {invalid newLocale value *} + + test msgcat-1.13 {mclocale set, reject evil input} -setup { + variable locale [mclocale] + } -cleanup { + mclocale $locale + } -body { + mclocale looks/ok/../../../../but/is/path/to/evil/code + } -returnCodes error -match glob -result {invalid newLocale value *} + # Tests msgcat-2.*: [mcset], [mcmset], namespace partitioning test msgcat-2.1 {mcset, global scope} { |