--- loncom/lond 2016/09/24 19:16:57 1.489.2.23 +++ loncom/lond 2016/09/27 16:30:24 1.489.2.25 @@ -2,7 +2,7 @@ # The LearningOnline Network # lond "LON Daemon" Server (port "LOND" 5663) # -# $Id: lond,v 1.489.2.23 2016/09/24 19:16:57 raeburn Exp $ +# $Id: lond,v 1.489.2.25 2016/09/27 16:30:24 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -64,7 +64,7 @@ my $DEBUG = 0; # Non zero to ena my $status=''; my $lastlog=''; -my $VERSION='$Revision: 1.489.2.23 $'; #' stupid emacs +my $VERSION='$Revision: 1.489.2.25 $'; #' stupid emacs my $remoteVERSION; my $currenthostid="default"; my $currentdomainid; @@ -1429,7 +1429,7 @@ sub du2_handler { # If the requested path contains /../ or is: # # 1. for a directory, and the path does not begin with one of: -# (a) /home/httpd/html/res// +# (a) /home/httpd/html/res/ # (b) /home/httpd/html/res/userfiles/ # (c) /home/httpd/lonUsers//<1>/<2>/<3>//userfiles # or is: @@ -1466,7 +1466,7 @@ sub ls_handler { } if (-e $ulsdir) { if(-d $ulsdir) { - unless (($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles)/}) || + unless (($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/})) { &Failure($client,"refused\n",$userinput); return 1; @@ -1526,7 +1526,7 @@ sub ls_handler { # If the requested path contains /../ or is: # # 1. for a directory, and the path does not begin with one of: -# (a) /home/httpd/html/res// +# (a) /home/httpd/html/res/ # (b) /home/httpd/html/res/userfiles/ # (c) /home/httpd/lonUsers//<1>/<2>/<3>//userfiles # or is: @@ -1562,7 +1562,7 @@ sub ls2_handler { } if (-e $ulsdir) { if(-d $ulsdir) { - unless (($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles)/}) || + unless (($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/})) { &Failure($client,"refused\n","$userinput"); return 1; @@ -1615,7 +1615,7 @@ sub ls2_handler { # If the requested path (after prepending) contains /../ or is: # # 1. for a directory, and the path does not begin with one of: -# (a) /home/httpd/html/res// +# (a) /home/httpd/html/res/ # (b) /home/httpd/html/res/userfiles/ # (c) /home/httpd/lonUsers//<1>/<2>/<3>//userfiles # (d) /home/httpd/html/priv// and client is the homeserver @@ -1700,7 +1700,7 @@ sub ls3_handler { if (-e $ulsdir) { if(-d $ulsdir) { unless (($getpropath) || ($getuserdir) || - ($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles)/}) || + ($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/}) || (($ulsdir =~ m{/home/httpd/html/priv/$LONCAPA::match_domain/}) && ($islocal))) { &Failure($client,"refused\n",$userinput); @@ -5463,7 +5463,7 @@ sub auto_export_grades_handler { # $cmd - The command that got us dispatched. # $tail - The tail of the command. In our case this is a colon # separated list that will be split into: -# $filename - The name of the file to remove. +# $filename - The name of the file to retrieve. # The filename is given as a path relative to # the LonCAPA temp file directory. # $client - Socket open on the client. @@ -5479,6 +5479,8 @@ sub retrieve_auto_file_handler { my $source = $perlvar{'lonDaemons'}.'/tmp/'.$filename; if ($filename =~m{/\.\./}) { &Failure($client, "refused\n", $userinput); + } elsif ($filename !~ /^$LONCAPA::match_domain\_$LONCAPA::match_courseid\_.+_classlist\.xml$/) { + &Failure($client, "refused\n", $userinput); } elsif ( (-e $source) && ($filename ne '') ) { my $reply = ''; if (open(my $fh,$source)) {