Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

luci-mod-system: prevent comment injection in mtdbackup endpoint

Browse source 
Rework the parameter handling to both prevent a crash when no parameter is
given and to prevent root command injection through the mtd index part of
the parameter value.

Fixes: 9840d310e ("modules: add backup module for mtdblock devices")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit is contained in:
Jo-Philipp Wich 2018-11-14 13:37:51 +01:00
parent aa2e0e2488
commit 6f7736c436
1 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
modules/luci-mod-system/luasrc/controller/admin/system.lua
View file

@ -319,9 +319,13 @@ function action_backup()
end
function action_backupmtdblock()
local http = require "luci.http"
local mv = http.formvalue("mtdblockname")
local m, s, n = mv:match('^([^%s]+)/([^%s]+)/([^%s]+)')
local mv = luci.http.formvalue("mtdblockname") or ""
local m, n = mv:match('^([^%s%./"]+)/%d+/(%d+)$')
if not m and n then
luci.http.status(400, "Bad Request")
return
end
local reader = ltn12_popen("dd if=/dev/mtd%s conv=fsync,notrunc 2>/dev/null" % n)