Mercurial > pub > Impl
diff Lib/IMPL/Web/QueryHandler/UrlController.pm @ 148:e6447ad85cb4
DOM objects now have a schema and schemaSource properties
RegExp now can launder data
Improved post to DOM transformation (multiple values a now supported)
Added new axes to navigation queries: ancestor and descendant
minor changes and bug fixes
| author | wizard |
|---|---|
| date | Mon, 16 Aug 2010 08:26:44 +0400 |
| parents | 5a9f64890c31 |
| children | 3f09584bf189 |
line wrap: on
line diff
--- a/Lib/IMPL/Web/QueryHandler/UrlController.pm Mon Aug 09 08:45:36 2010 +0400 +++ b/Lib/IMPL/Web/QueryHandler/UrlController.pm Mon Aug 16 08:26:44 2010 +0400 @@ -5,6 +5,7 @@ use IMPL::Class::Property; use IMPL::Exception; use Carp qw(croak); +use Scalar::Util qw(tainted); BEGIN { public property namespace => prop_all; @@ -20,10 +21,18 @@ my @target = grep $_, split /\//, ($ENV{PATH_INFO} || '') or die new IMPL::Exception("No target specified"); my $method = pop @target; - $method =~ s/\.\w+$//; + if ( $method =~ /^(\w+)/ ) { + $method = $1; + } else { + die new IMPL::Exception("Invalid method name",$method); + } + + (/^(\w+)$/ or die new IMPL::Exception("Invalid module name part", $_)) and $_=$1 foreach @target; my $module = join '::',$namespace,@target; + die new IMPL::Exception("A module name is untrusted", $module) if tainted($module); + eval "require $module; 1;" unless eval{ $module->can('InvokeAction'); }; if (my $err = $@ ) { die new IMPL::Exception("Failed to load module",$module,$err);