Fix escaping of javascript, and remove un-necessary referrer skip on popup windows

2026-02-03 06:03:28 +00:00 · 2014-05-19 17:31:15 -07:00
parent 61713196d9
commit ade27449c8
7 changed files with 2 additions and 11 deletions
--- a/chooser.cgi
+++ b/chooser.cgi
@@ -16,7 +16,6 @@ use WebminCore;
 		"tar", "binary.gif"
 		);

-$trust_unknown_referers = 1;
 &init_config();
 if (&get_product_name() eq 'usermin') {
 	&switch_to_remote_user();
--- a/date_chooser.cgi
+++ b/date_chooser.cgi
@@ -6,7 +6,6 @@ BEGIN { push(@INC, ".."); };
 use WebminCore;
 use Time::Local;

-$trust_unknown_referers = 1;
 &init_config();
 &ReadParse();

--- a/group_chooser.cgi
+++ b/group_chooser.cgi
@@ -5,7 +5,6 @@
 BEGIN { push(@INC, ".."); };
 use WebminCore;

-$trust_unknown_referers = 1;
 &init_config();
 if (&get_product_name() eq 'usermin') {
 	&switch_to_remote_user();
@@ -26,7 +25,7 @@ if ($in{'multi'}) {
 		# base frame
 		&PrintHeader();
 		print "<script type='text/javascript'>\n";
-		@ul = &split_quoted($in{'group'});
+		@ul = &split_quoted(&filter_javascript($in{'group'}));
 		$len = @ul;
 		print "sel = new Array($len);\n";
 		print "selr = new Array($len);\n";
--- a/help.cgi
+++ b/help.cgi
@@ -5,7 +5,6 @@
 BEGIN { push(@INC, ".."); };
 use WebminCore;

-$trust_unknown_referers = 1;
 &init_config();
 &error_setup($text{'help_err'});
 $ENV{'PATH_INFO'} !~ /[\\\&\;\`\'\"\|\*\?\~\<\>\^\(\)\[\]\{\}\$\n\r]/ ||
--- a/module_chooser.cgi
+++ b/module_chooser.cgi
@@ -4,7 +4,6 @@
 BEGIN { push(@INC, ".."); };
 use WebminCore;

-$trust_unknown_referers = 1;
 &init_config();
 &ReadParse(undef, undef, 2);
 %access = &get_module_acl();
--- a/uptracker.cgi
+++ b/uptracker.cgi
@@ -4,7 +4,6 @@
 BEGIN { push(@INC, ".."); };
 use WebminCore;

-$trust_unknown_referers = 1;
 &init_config();
 &ReadParse();
 $id = $in{'id'};
--- a/user_chooser.cgi
+++ b/user_chooser.cgi
@@ -5,7 +5,6 @@
 BEGIN { push(@INC, ".."); };
 use WebminCore;

-$trust_unknown_referers = 1;
 &init_config();
 if (&get_product_name() eq 'usermin') {
 	&switch_to_remote_user();
@@ -19,7 +18,7 @@ if ($in{'multi'}) {
 		# base frame
 		&PrintHeader();
 		print "<script type='text/javascript'>\n";
-		@ul = split(/\s+/, $in{'user'});
+		@ul = split(/\s+/, &filter_javascript($in{'user'}));
 		$len = @ul;
 		print "sel = new Array($len);\n";
 		print "selr = new Array($len);\n";
@@ -31,8 +30,6 @@ if ($in{'multi'}) {
 			$gn = $ul[$i];
 			$gn =~ s/^(@|\+|&)+//g;
 			@uinfo = getpwnam($gn);
-
-			#@uinfo = getpwnam($ul[$i]);
 			if (@uinfo) {
 				print "selr[$i] = \"".
 				      quotemeta($uinfo[6])."\";\n";