Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

luci-base: sys: prevent path traversal via sys.init routines

Browse source 
Filter the init script name parameter through fs.basename() to avoid
invoking paths outside of /etc/init.d/.

Reported-by: Graham R <gr348@cam.ac.uk>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 8752701b0d)
This commit is contained in:
Jo-Philipp Wich 2022-01-19 16:32:52 +01:00
parent 7a37d02882
commit 2360ebc2e8
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
modules/luci-base/luasrc/sys.lua
View file

@ -566,6 +566,7 @@ function init.names()
end
function init.index(name)
name = fs.basename(name)
if fs.access(init.dir..name) then
return call("env -i sh -c 'source %s%s enabled; exit ${START:-255}' >/dev/null"
%{ init.dir, name })
@ -573,6 +574,7 @@ function init.index(name)
end
local function init_action(action, name)
name = fs.basename(name)
if fs.access(init.dir..name) then
return call("env -i %s%s %s >/dev/null" %{ init.dir, name, action })
end