pub/Impl: Lib/IMPL/Web/QueryHandler/UrlController.pm comparison

comparison Lib/IMPL/Web/QueryHandler/UrlController.pm @ 148:e6447ad85cb4

DOM objects now have a schema and schemaSource properties RegExp now can launder data Improved post to DOM transformation (multiple values a now supported) Added new axes to navigation queries: ancestor and descendant minor changes and bug fixes

author	wizard
date	Mon, 16 Aug 2010 08:26:44 +0400
parents	5a9f64890c31
children	3f09584bf189

comparison

equal deleted inserted replaced

-:c2aa10fbb396
+:e6447ad85cb4
 use base qw(IMPL::Web::QueryHandler);
 use IMPL::Class::Property;
 use IMPL::Exception;
 use Carp qw(croak);
+use Scalar::Util qw(tainted);
 BEGIN {
 	public property namespace => prop_all;
 }
 	my $namespace = $this->namespace || $action->application->type;
 	my @target = grep $_, split /\//, ($ENV{PATH_INFO} || '') or die new IMPL::Exception("No target specified");
 	my $method = pop @target;
-	$method =~ s/\.\w+$//;
+	if ( $method =~ /^(\w+)/ ) {
+		$method = $1;
+	} else {
+		die new IMPL::Exception("Invalid method name",$method);
+	}
+	(/^(\w+)$/ or die new IMPL::Exception("Invalid module name part", $_)) and $_=$1 foreach @target;
 	my $module = join '::',$namespace,@target;
+	die new IMPL::Exception("A module name is untrusted", $module) if tainted($module);
 	eval "require $module; 1;" unless eval{ $module->can('InvokeAction'); };
 	if (my $err = $@ ) {
 		die new IMPL::Exception("Failed to load module",$module,$err);
 	}

Mercurial > pub > Impl

comparison Lib/IMPL/Web/QueryHandler/UrlController.pm @ 148:e6447ad85cb4