Index: openacs-4/packages/search/www/search.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/search/www/search.tcl,v diff -u -N -r1.40.2.5 -r1.40.2.6 --- openacs-4/packages/search/www/search.tcl 24 May 2016 22:01:15 -0000 1.40.2.5 +++ openacs-4/packages/search/www/search.tcl 28 May 2016 09:49:31 -0000 1.40.2.6 @@ -7,8 +7,8 @@ {t:trim ""} {offset:naturalnum,notnull 0} {num:range(0|200) 0} - {dfs:word,trim ""} - {dts:word,trim ""} + {dfs:word,trim,notnull ""} + {dts:word,trim,notnull ""} {search_package_id:naturalnum ""} {scope ""} {object_type:token ""} @@ -18,6 +18,23 @@ ad_complain "#search.lt_You_must_specify_some#" } } + valid_dfs -requires dfs { + if {![array exists symbol2interval]} { + array set symbol2interval [parameter::get -package_id [ad_conn package_id] -parameter Symbol2Interval] + } + if {$dfs ni [array names symbol2interval]} { + ad_complain "dfs: invalid interval" + } + } + valid_dts -requires dts { + if {![array exists symbol2interval]} { + array set symbol2interval [parameter::get -package_id [ad_conn package_id] -parameter Symbol2Interval] + } + if {$dts ni [array names symbol2interval]} { + ad_complain "dts: invalid interval" + } + } + csrf { security::csrf::validate } } @@ -64,7 +81,6 @@ set dfs "" } -array set symbol2interval [parameter::get -package_id $package_id -parameter Symbol2Interval] if { $dfs ne "" } { set df [db_exec_plsql get_df "select now() + '$symbol2interval($dfs)'::interval"] } Index: openacs-4/packages/acs-templating/www/doc/demo/compile.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/www/doc/demo/compile.tcl,v diff -u -N -r1.1.1.1.30.4 -r1.1.1.1.30.5 --- openacs-4/packages/acs-templating/www/doc/demo/compile.tcl 26 May 2016 17:22:32 -0000 1.1.1.1.30.4 +++ openacs-4/packages/acs-templating/www/doc/demo/compile.tcl 28 May 2016 09:51:22 -0000 1.1.1.1.30.5 @@ -11,7 +11,7 @@ ad_complain "Only files within this directory may be shown." } set dir [file dirname [ad_conn file]] - if { ![file readable $dir/$file] } { + if {![file readable $dir/$file] || [file isdirectory $dir/$file]} { ad_complain "requested file is not readable." } } Index: openacs-4/packages/acs-templating/www/doc/demo/show.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/www/doc/demo/show.tcl,v diff -u -N -r1.3.2.3 -r1.3.2.4 --- openacs-4/packages/acs-templating/www/doc/demo/show.tcl 24 May 2016 09:11:28 -0000 1.3.2.3 +++ openacs-4/packages/acs-templating/www/doc/demo/show.tcl 28 May 2016 09:51:22 -0000 1.3.2.4 @@ -8,15 +8,15 @@ file:trim,notnull } -validate { valid_file -requires file { - if { [regexp {\.\.|^/} $file] } { - ad_complain "Only files within this directory may be shown." - } - set dir [file dirname [ad_conn file]] - if {![file readable $dir/$file]} { - ad_complain "The specified file ist not readable" - } + if { [regexp {\.\.|^/} $file] } { + ad_complain "Only files within this directory may be shown." + } + set dir [file dirname [ad_conn file]] + if {![file readable $dir/$file] || [file isdirectory $dir/$file]} { + ad_complain "The specified file ist not readable" + } } -} +} # # [ns_url2file [ns_conn url]] fails under request processor, since