Projet

Général

Profil

« Précédent | Suivant » 

Révision 1cfe5490

Ajouté par Renato Botelho il y a presque 10 ans

Remove . and / from pkg name to avoid directory traversal

Voir les différences:

usr/local/www/pkg_mgr_install.php
108 108 
				</tr>
109 109 
<?php if ((empty($_GET['mode']) && $_GET['id']) || (!empty($_GET['mode']) && (!empty($_GET['pkg']) || $_GET['mode'] == 'reinstallall') && ($_GET['mode'] != 'installedinfo' && $_GET['mode'] != 'showlog'))):
110 110 
	if (empty($_GET['mode']) && $_GET['id']) {
111 
		$pkgname = str_replace(array("<", ">", ";", "&", "'", '"'), "", htmlspecialchars_decode($_GET['id'], ENT_QUOTES | ENT_HTML401));
111 
		$pkgname = str_replace(array("<", ">", ";", "&", "'", '"', '.', '/'), "", htmlspecialchars_decode($_GET['id'], ENT_QUOTES | ENT_HTML401));
112 112 
		$pkgmode = 'installed';
113 113 
	} else if (!empty($_GET['mode']) && !empty($_GET['pkg'])) {
114 
		$pkgname = str_replace(array("<", ">", ";", "&", "'", '"'), "", htmlspecialchars_decode($_GET['pkg'], ENT_QUOTES | ENT_HTML401));
115 
		$pkgmode = str_replace(array("<", ">", ";", "&", "'", '"'), "", htmlspecialchars_decode($_GET['mode'], ENT_QUOTES | ENT_HTML401));
114 
		$pkgname = str_replace(array("<", ">", ";", "&", "'", '"', '.', '/'), "", htmlspecialchars_decode($_GET['pkg'], ENT_QUOTES | ENT_HTML401));
115 
		$pkgmode = str_replace(array("<", ">", ";", "&", "'", '"', '.', '/'), "", htmlspecialchars_decode($_GET['mode'], ENT_QUOTES | ENT_HTML401));
116 116 
	} else if ($_GET['mode'] == 'reinstallall') {
117 117 
		$pkgmode = 'reinstallall';
118 118 
	}
......
191 191 
ob_flush();
192 192 

  		




  193
  193
  
    
if ($_GET) {


  		




  194
  
  
    
	$pkgname = str_replace(array("<", ">", ";", "&", "'", '"'), "", htmlspecialchars_decode($_GET['pkg'], ENT_QUOTES | ENT_HTML401));


  		




  
  194
  
    
	$pkgname = str_replace(array("<", ">", ";", "&", "'", '"', '.', '/'), "", htmlspecialchars_decode($_GET['pkg'], ENT_QUOTES | ENT_HTML401));


  		




  195
  195
  
    
	switch($_GET['mode']) {


  		




  196
  196
  
    
	case 'showlog':


  		




  197
  197
  
    
		if (strpos($pkgname, ".")) {


  		




  ......




  213
  213
  
    
		break;


  		




  214
  214
  
    
	}


  		




  215
  215
  
    
} else if ($_POST) {


  		




  216
  
  
    
	$pkgid = str_replace(array("<", ">", ";", "&", "'", '"'), "", htmlspecialchars_decode($_POST['id'], ENT_QUOTES | ENT_HTML401));


  		




  
  216
  
    
	$pkgid = str_replace(array("<", ">", ";", "&", "'", '"', '.', '/'), "", htmlspecialchars_decode($_POST['id'], ENT_QUOTES | ENT_HTML401));


  		




  217
  217
  
    

  		




  218
  218
  
    
	/* All other cases make changes, so mount rw fs */


  		




  219
  219
  
    
	conf_mount_rw();


  		












Formats disponibles :  Unified diff