Taint mode (-T) is turned on, however not all shell expansions are untainted. This will generate errors in some installations (apparently not in my dev environment though... weird).
Here are the lines that include shell expansion:
654: $line =~ s#\`{1}(.*?)\`{1}#<tt>$1</tt>#g; 741: '`<tt>teletype</tt>`</dd>'. 1400: $diff = `diff $TempDir/old $TempDir/new`; 1516: my $diff = `diff $TempDir/old $TempDir/new`; 1645: print $q->p("perl: ".`perl -v`); 1646: print $q->p("diff: ".`diff --version`); 1647: print $q->p("grep: ".`grep --version`); 1648: print $q->p("awk: ".`awk --version`); 2289: chomp(my @files = `grep -Prl '$Param{'search'}' $PageDir`); 2990: my $diff = `diff $TempDir/old $TempDir/new`; 3179: chomp(my @counts = split(/\n/,`grep ^$UserIP $VisitorLog | awk '\$2>$spts'`));
For sure lines 1400, 1516, 2289, 2990, and 3179 should be examined closely.
-- AaronGraves Thu Jun 23 03:57:33 UTC 2016 (107.167.108.182)
Lines 1400, 1516, 2289, and 2990 have been untainted. 3179 (now 3194) remains.
-- AaronGraves Thu Jun 23 04:21:45 UTC 2016 (107.167.108.182)
Some untainting methods: http://www.perlmonks.org/?node_id=516577
-- AaronGraves Thu Jun 23 16:10:23 UTC 2016 (107.167.108.182)
In DoSearch, line 2394:
open my($FILES), "grep -Erli '($search|$altsearch)' $PageDir 2>/dev/null |";
This needs to be untainted too.
-- AaronGraves Thu Jun 23 17:15:55 UTC 2016 (107.167.108.182)
In addition to the above, this will have to be corrected in ListAllFiles, ListAllTemplates, and ListDeletedPages.
-- AaronGraves Thu Jun 23 17:33:21 UTC 2016 (107.167.108.182)
For untainting, see https://github.com/ajgraves/aneuch/issues/32
-- AaronGraves Fri Jun 24 04:23:51 UTC 2016 (107.167.108.182)
For 3179 I would suggest something like this for line 253:
$UserIP = $q->remote_addr; #$ENV{'REMOTE_ADDR'}; if ($UserIP =~ /^([0-9.]+)$/) { $UserIP=$1; } else { $UserIP='000.000.000.000'; # Redirect to an error page instead? }
-- Russ Sun Jun 26 19:21:16 UTC 2016 (24.113.55.207)
Thanks Russ, actually what I used was:
my ($UIP) = ($UserIP =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/g); # nnn.nnn.nnn.nnn
-- AaronGraves Tue Jun 28 01:33:48 UTC 2016 (107.167.108.182)
Untainting should be completed.
-- AaronGraves Tue Jun 28 19:50:40 UTC 2016 (107.167.116.86)
I re-downloaded aneuch.pl today and think I found two more:
-- Russ Mon Jul 4 03:46:58 UTC 2016 (24.113.55.207)
Thanks Russ, I did miss a few places. I'll go through again and make sure they are all mopped up.
-- AaronGraves Mon Jul 4 14:21:16 UTC 2016 (174.71.115.113)
-- AaronGraves Tue Jul 12 13:54:11 UTC 2016 (174.71.115.113)
Update on bootstrap: The framework has been implemented. The administration screen has been updated to use the framework as well. The site is completely mobile friendly (including the admin screen). Small tweaks are likely to continue up until release.
-- AaronGraves Thu Jul 14 17:55:36 UTC 2016 (174.71.115.113)
I've also written a sitemap plugin. Debating including the functionality into Aneuch itself.
-- AaronGraves Thu Jul 14 17:56:24 UTC 2016 (174.71.115.113)
Images now have the class 'img-responsive' so they are actually, you know, responsive.
-- AaronGraves Sat Jul 23 16:42:43 UTC 2016 (216.105.250.127)
I should add UTF8 encoding for saving/reading files as well in this version.
-- AaronGraves Sun Jul 16 16:39:14 UTC 2017 (216.105.250.127)
Preferences Storage API was introduced yesterday.
Going to look at using this internally in Aneuch, for things like the content blocking rules, IP bans, etc.
I've placed an emphasis in the code that the preferences database be read only once per "session" within Aneuch. There is a small concern about the speed reduction that may take place loading a large preferences database. Ultimately I think putting the content blocking rules into this system would be a big indicator of performance as that's the largest bit of data that gets loaded every session.
Then again, I don't think it would significantly impact things, as it's already being leaded once per session. I guess time will tell.
-- AaronGraves Sun Oct 29 11:41:47 UTC 2017 (216.105.250.127)