if (-e 'data/template') {
unless (-d 'data/template' && -e 'data/template/.lastRebuild' &&
(stat('data/template/.lastRebuild'))[9] >= $lastTemplateParamChange) {
+ print "Removing existing compiled templates ...\n";
+
# If File::Path::rmtree reported errors, then I'd use that
use File::Find;
sub remove {
}
{
+ print "Precompiling templates ...\n";
+
use File::Find;
use Cwd;
my $gid = (split " ", $()[0];
fixPerms('.htaccess', $<, $gid, 022); # glob('*') doesn't catch dotfiles
fixPerms('data/.htaccess', $<, $gid, 022);
- fixPerms('data/template', $<, $gid, 022, 1);
+ fixPerms('data/template', $<, $gid, 000, 1); # webserver will write to these
fixPerms('data/webdot/.htaccess', $<, $gid, 022);
fixPerms('data/params', $<, $gid, 011);
fixPerms('*', $<, $gid, 022);
# Loop over each file in the sub-directory looking for format files
# (files whose name looks like SCRIPT-FORMAT.EXT.tmpl).
foreach my $file (@files) {
- if ($file =~ /^\Q$script\E-(.+)\.(.+)\.(tmpl)$/) {
+ if ($file =~ /^\Q$script\E-(.+)\.(.+)\.tmpl$/) {
+ # This must be a valid file
+ # If an attacker could add a previously unused format
+ # type to trick us into running it, then they could just
+ # change an existing one...
+ # (This implies that running without a webservergroup is
+ # insecure, but that is the case anyway)
+ trick_taint($file);
+
$formats->{$1} = {
'template' => $file ,
'extension' => $2 ,
projects / thirdparty / bugzilla.git / commitdiff
