Protect config file reads too

2026-03-20 16:50:24 +00:00 · 2009-08-10 17:04:20 -07:00
parent 85355ae69c
commit 2c03001489
2 changed files with 4 additions and 0 deletions
--- a/htaccess-htpasswd/edit_dir.cgi
+++ b/htaccess-htpasswd/edit_dir.cgi
@@ -82,8 +82,10 @@ else {

 # Authentication realm
 if (!$in{'new'}) {
+	&switch_user();
 	$conf = &foreign_call($apachemod, "get_htaccess_config",
 			      "$dir->[0]/$config{'htaccess'}");
+	&switch_back();
 	$realm = &foreign_call($apachemod, "find_directive",
 			       "AuthName", $conf, 1);
 	}
--- a/htaccess-htpasswd/index.cgi
+++ b/htaccess-htpasswd/index.cgi
@@ -58,6 +58,7 @@ if (@dirs) {
 	print &ui_columns_start([ $can_create ? ( "" ) : ( ),
 				  $text{'index_dir'},
 				  $text{'index_usersgroups'} ], 100, 0, \@tds);
+	&switch_user();
 	foreach $d (@dirs) {
 		local @cols;
 		if ($can_create) {
@@ -140,6 +141,7 @@ if (@dirs) {
 			print &ui_columns_row(\@cols, \@tds);
 			}
 		}
+	&switch_back();
 	print &ui_columns_end();
 	if ($can_create) {
 		print &ui_links_row(\@links);