[open-ils-commits] r14307 - branches/rel_1_6_0/Open-ILS/src/perlmods/OpenILS/Application/Trigger (miker)
svn at svn.open-ils.org
svn at svn.open-ils.org
Thu Oct 8 11:51:38 EDT 2009
Author: miker
Date: 2009-10-08 11:51:35 -0400 (Thu, 08 Oct 2009)
New Revision: 14307
Modified:
branches/rel_1_6_0/Open-ILS/src/perlmods/OpenILS/Application/Trigger/Event.pm
Log:
Backporting r14032, a confirmed fix for ticket #64: use Safe to protect against EVIL evals coming in from the outside world -- we share the environment into the Safe compartment using the name $current_environment
Modified: branches/rel_1_6_0/Open-ILS/src/perlmods/OpenILS/Application/Trigger/Event.pm
===================================================================
--- branches/rel_1_6_0/Open-ILS/src/perlmods/OpenILS/Application/Trigger/Event.pm 2009-10-08 15:51:09 UTC (rev 14306)
+++ branches/rel_1_6_0/Open-ILS/src/perlmods/OpenILS/Application/Trigger/Event.pm 2009-10-08 15:51:35 UTC (rev 14307)
@@ -8,6 +8,8 @@
use OpenILS::Utils::CStoreEditor q/:funcs/;
use OpenILS::Application::Trigger::ModRunner;
+use Safe;
+
my $log = 'OpenSRF::Utils::Logger';
sub new {
@@ -348,6 +350,8 @@
return $ok || undef;
}
+my $current_environment;
+
sub build_environment {
my $self = shift;
return $self if ($self->environment->{complete});
@@ -356,12 +360,18 @@
try {
+ my $compartment = new Safe;
+ $compartment->permit(':default',':load');
+ $compartment->share('$current_environment');
+
$self->environment->{EventProcessor} = $self;
$self->environment->{target} = $self->target;
$self->environment->{event} = $self->event;
$self->environment->{template} = $self->event->event_def->template;
- $self->environment->{params}{ $_->param } = eval $_->value for ( @{$self->event->event_def->params} );
+ $current_environment = $self->environment;
+
+ $self->environment->{params}{ $_->param } = $compartment->reval($_->value) for ( @{$self->event->event_def->params} );
for my $e ( @{$self->event->event_def->env} ) {
my (@label, @path);
More information about the open-ils-commits
mailing list