--- ../razor-agents-2.36.orig/lib/Razor2/Client/Agent.pm Tue May 6 17:00:38 2003 +++ ./lib/Razor2/Client/Agent.pm Thu Mar 11 23:11:11 2004 @@ -981,6 +981,7 @@ my @fns; if (opendir D,$self->{razorhome}) { @fns = map "$self->{razorhome}/$_", grep /^server\.[\S]+\.conf$/, readdir D; + @fns = map { /^(\S+)$/, $1 } @fns; # untaint closedir D; } foreach (@fns) { --- ../razor-agents-2.36.orig/lib/Razor2/Client/Config.pm Mon Apr 21 12:59:56 2003 +++ ./lib/Razor2/Client/Config.pm Thu Mar 11 23:11:11 2004 @@ -333,9 +333,11 @@ if ($fn =~ /^(.*)\/([^\/]+)$/) { my $dir = $1; $fn = readlink $fn; + $fn = $1 if $fn =~ /^(\S+)$/; # untaint readlink $fn = "$dir/$fn" unless $fn =~ /^\//; } else { $fn = readlink $fn; + $fn = $1 if $fn =~ /^(\S+)$/; # untaint readlink } } } @@ -376,13 +378,13 @@ chomp; next if /^\s*#/; if ($nothash) { - s/^\s+//; s/\s+$//; + next unless s/^\s*(.+?)\s*$/$1/; # untaint $conf->{$_} = 7; push @lines, $_; } else { next unless /=/; - my ($attribute, $value) = split /\=/, $_, 2; - $attribute =~ s/^\s+//; $attribute =~ s/\s+$//; + my ($attribute, $value) = /^\s*(.+?)\s*=\s*(.+?)\s*$/; # untaint + next unless (defined $attribute && defined $value); $conf->{$attribute} = $self->parse_value($value); } $total++; --- ../razor-agents-2.36.orig/lib/Razor2/Client/Core.pm Tue Aug 5 11:07:53 2003 +++ ./lib/Razor2/Client/Core.pm Thu Mar 11 23:11:11 2004 @@ -218,8 +218,10 @@ foreach $rr ($query->answer) { my $pushed = 0; if ($rr->type eq "A") { - push @list, $rr->address; - $pushed = 1; + if ($rr->address =~ m/^(\d+\.\d+\.\d+\.\d+)$/) { + push @list, $1; + $pushed = 1; + } } elsif ($rr->type eq "CNAME") { if ($rr->cname eq 'list.terminator') { pop @list if $pushed;