add some security fixes

[spider.git] / perl / DXCommandmode.pm

diff --git a/perl/DXCommandmode.pm b/perl/DXCommandmode.pm
index 95039af60ef5ef477ddc77333660a246610c830a..f5ef8e2808ba0a1b403610ed5245575013b93960 100644 (file)
--- a/perl/DXCommandmode.pm
+++ b/perl/DXCommandmode.pm
@@ -437,8 +437,11 @@ sub run_cmd
        $args = "" unless defined $args;
                
        if ($cmd) {
-               # strip out // on command only
+               # strip out // and .. on command only
                $cmd =~ s|//|/|g;
+               $cmd =~ s|\.+||g;               # no dots allowed
+               $cmd =~ s|^/||g;                # no leading / either
+               $cmd =~ s|[^-\w/]||g;   # and no funny characters
                                        
                my ($path, $fcmd);
                        
@@ -454,7 +457,7 @@ sub run_cmd
                        
                # first expand out the entry to a command
                ($path, $fcmd) = search($main::localcmd, $cmd, "pl");
-               ($path, $fcmd) = search($main::cmd, $cmd, "pl") if !$path || !$fcmd;
+               ($path, $fcmd) = search($main::cmd, $cmd, "pl") unless $path && $fcmd;
 
                if ($path && $cmd) {
                        dbg("path: $cmd cmd: $fcmd") if isdbg('command');