From fcdb3fb3304b33b2a76e2e47d92cdd5c2ca4c145 Mon Sep 17 00:00:00 2001 From: dgp Date: Fri, 13 Aug 2004 21:45:03 +0000 Subject: * library/msgcat/msgcat.tcl: Added checks to prevent [mclocale] * tests/msgcat.test: from registering filesystem paths to possibly malicious code to be evaluated by a later [mcload]. * library/msgcat/pkgIndex.tcl: Bump to msgcat 1.3.3 --- ChangeLog | 7 +++++++ library/msgcat/msgcat.tcl | 11 ++++++++--- library/msgcat/pkgIndex.tcl | 2 +- tests/msgcat.test | 22 +++++++++++++++++++--- 4 files changed, 35 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index f50e44d..3afa606 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2004-08-13 Don Porter + + * library/msgcat/msgcat.tcl: Added checks to prevent [mclocale] + * tests/msgcat.test: from registering filesystem paths to possibly + malicious code to be evaluated by a later [mcload]. + * library/msgcat/pkgIndex.tcl: Bump to msgcat 1.3.3 + 2004-08-10 Zoran Vasiljevic * unix/tclUnixThrd.c (TclpThreadCreate): changed handling of diff --git a/library/msgcat/msgcat.tcl b/library/msgcat/msgcat.tcl index 044dcbb..217a618 100644 --- a/library/msgcat/msgcat.tcl +++ b/library/msgcat/msgcat.tcl @@ -10,12 +10,12 @@ # See the file "license.terms" for information on usage and redistribution # of this file, and for a DISCLAIMER OF ALL WARRANTIES. # -# RCS: @(#) $Id: msgcat.tcl,v 1.17.2.3 2004/03/31 18:51:01 dgp Exp $ +# RCS: @(#) $Id: msgcat.tcl,v 1.17.2.4 2004/08/13 21:45:16 dgp Exp $ package require Tcl 8.2 # When the version number changes, be sure to update the pkgIndex.tcl file, # and the installation directory in the Makefiles. -package provide msgcat 1.3.2 +package provide msgcat 1.3.3 namespace eval msgcat { namespace export mc mcload mclocale mcmax mcmset mcpreferences mcset \ @@ -227,7 +227,12 @@ proc msgcat::mclocale {args} { } if {$len == 1} { - set Locale [string tolower [lindex $args 0]] + set newLocale [lindex $args 0] + if {$newLocale ne [file tail $newLocale]} { + return -code error "invalid newLocale value \"$newLocale\":\ + could be path to unsafe code." + } + set Locale [string tolower $newLocale] set Loclist {} set word "" foreach part [split $Locale _] { diff --git a/library/msgcat/pkgIndex.tcl b/library/msgcat/pkgIndex.tcl index a048de1..91a93ad 100644 --- a/library/msgcat/pkgIndex.tcl +++ b/library/msgcat/pkgIndex.tcl @@ -1,2 +1,2 @@ if {![package vsatisfies [package provide Tcl] 8.2]} {return} -package ifneeded msgcat 1.3.2 [list source [file join $dir msgcat.tcl]] +package ifneeded msgcat 1.3.3 [list source [file join $dir msgcat.tcl]] diff --git a/tests/msgcat.test b/tests/msgcat.test index 216e2e7..0edec23 100644 --- a/tests/msgcat.test +++ b/tests/msgcat.test @@ -12,15 +12,15 @@ # Note that after running these tests, entries will be left behind in the # message catalogs for locales foo, foo_BAR, and foo_BAR_baz. # -# RCS: @(#) $Id: msgcat.test,v 1.11.2.1 2003/03/26 22:56:09 dgp Exp $ +# RCS: @(#) $Id: msgcat.test,v 1.11.2.2 2004/08/13 21:45:16 dgp Exp $ package require Tcl 8.2 if {[catch {package require tcltest 2}]} { puts stderr "Skipping tests in [info script]. tcltest 2 required." return } -if {[catch {package require msgcat 1.3}]} { - puts stderr "Skipping tests in [info script]. No msgcat 1.3 found to test." +if {[catch {package require msgcat 1.3.3}]} { + puts stderr "Skipping tests in [info script]. No msgcat 1.3.3 found to test." return } @@ -165,6 +165,22 @@ namespace eval ::msgcat::test { mcpreferences } -result {en_us_funky en_us en} + test msgcat-1.12 {mclocale set, reject evil input} -setup { + variable locale [mclocale] + } -cleanup { + mclocale $locale + } -body { + mclocale /path/to/evil/code + } -returnCodes error -match glob -result {invalid newLocale value *} + + test msgcat-1.13 {mclocale set, reject evil input} -setup { + variable locale [mclocale] + } -cleanup { + mclocale $locale + } -body { + mclocale looks/ok/../../../../but/is/path/to/evil/code + } -returnCodes error -match glob -result {invalid newLocale value *} + # Tests msgcat-2.*: [mcset], [mcmset], namespace partitioning test msgcat-2.1 {mcset, global scope} { -- cgit v0.12