Mercurial > pub > Impl
comparison Lib/IMPL/DOM/Transform/QueryToDOM.pm @ 325:34a110d1f06c
added security check for the query transformation
| author | cin |
|---|---|
| date | Mon, 27 May 2013 02:49:58 +0400 |
| parents | b56b1ec33b59 |
| children | 4cc6cc370fb2 |
comparison
equal
deleted
inserted
replaced
| 324:b1e7b55b4a38 | 325:34a110d1f06c |
|---|---|
| 1 package IMPL::DOM::Transform::QueryToDOM; | 1 package IMPL::DOM::Transform::QueryToDOM; |
| 2 use strict; | 2 use strict; |
| 3 | 3 |
| 4 use IMPL::Const qw(:prop); | 4 use IMPL::Const qw(:prop); |
| 5 use IMPL::declare { | 5 use IMPL::declare { |
| 6 require => { | |
| 7 OutOfRangeException => '-IMPL::OutOfRangeException' | |
| 8 }, | |
| 6 base => [ | 9 base => [ |
| 7 'IMPL::DOM::Transform::ObjectToDOM' => '@_' | 10 'IMPL::DOM::Transform::ObjectToDOM' => '@_' |
| 8 ], | 11 ], |
| 9 props => [ | 12 props => [ |
| 10 prefix => PROP_RO, | 13 prefix => PROP_RO, |
| 11 delimiter => PROP_RO | 14 delimiter => PROP_RO |
| 12 ] | 15 ] |
| 13 }; | 16 }; |
| 17 | |
| 18 our $MAX_INDEX = 1024; | |
| 14 | 19 |
| 15 sub CTOR { | 20 sub CTOR { |
| 16 my ($this) = @_; | 21 my ($this) = @_; |
| 17 | 22 |
| 18 $this->templates->{'CGI'} = 'TransformCGI'; | 23 $this->templates->{'CGI'} = 'TransformCGI'; |
| 57 my $node = $data; | 62 my $node = $data; |
| 58 while ( my $part = shift @parts ) { | 63 while ( my $part = shift @parts ) { |
| 59 if (my ($name,$index) = ($part =~ m/^(\w+)(?:\[(\d+)\])?$/) ) { | 64 if (my ($name,$index) = ($part =~ m/^(\w+)(?:\[(\d+)\])?$/) ) { |
| 60 if (@parts) { | 65 if (@parts) { |
| 61 if(defined $index) { | 66 if(defined $index) { |
| 67 $this->ValidateIndex($index); | |
| 62 $node = ($node->{$name}[$index] ||= {}); | 68 $node = ($node->{$name}[$index] ||= {}); |
| 63 } else { | 69 } else { |
| 64 $node = ($node->{$name} ||= {}); | 70 $node = ($node->{$name} ||= {}); |
| 65 } | 71 } |
| 66 } else { | 72 } else { |
| 67 if(defined $index) { | 73 if(defined $index) { |
| 74 $this->ValidateIndex($index); | |
| 68 $node->{$name}[$index] = (@value == 1 ? $value[0] : \@value); | 75 $node->{$name}[$index] = (@value == 1 ? $value[0] : \@value); |
| 69 } else { | 76 } else { |
| 70 $node->{$name} = (@value == 1 ? $value[0] : \@value); | 77 $node->{$name} = (@value == 1 ? $value[0] : \@value); |
| 71 } | 78 } |
| 72 } | 79 } |
| 73 } | 80 } |
| 74 } | 81 } |
| 75 } | 82 } |
| 76 | 83 |
| 77 return $this->Transform($data); | 84 return $this->Transform($data); |
| 85 } | |
| 86 | |
| 87 sub ValidateIndex { | |
| 88 my ($this,$index) = @_; | |
| 89 | |
| 90 die OutOfRangeException->new() | |
| 91 unless $index >= 0 and $index <= $MAX_INDEX; | |
| 78 } | 92 } |
| 79 | 93 |
| 80 sub TransformAction { | 94 sub TransformAction { |
| 81 my ($this,$action) = @_; | 95 my ($this,$action) = @_; |
| 82 | 96 |