luci-base: sys: prevent path traversal via sys.init routines
Filter the init script name parameter through fs.basename() to avoid invoking paths outside of /etc/init.d/. Reported-by: Graham R <gr348@cam.ac.uk> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit is contained in:
Jo-Philipp Wich
parent
35df2adaf8
commit
8752701b0d
1 changed files with 2 additions and 0 deletions
|
|
@ -566,6 +566,7 @@ function init.names()
|
||||||
end
|
end
|
||||||
|
|
||||||
function init.index(name)
|
function init.index(name)
|
||||||
|
name = fs.basename(name)
|
||||||
if fs.access(init.dir..name) then
|
if fs.access(init.dir..name) then
|
||||||
return call("env -i sh -c 'source %s%s enabled; exit ${START:-255}' >/dev/null"
|
return call("env -i sh -c 'source %s%s enabled; exit ${START:-255}' >/dev/null"
|
||||||
%{ init.dir, name })
|
%{ init.dir, name })
|
||||||
|
|
@ -573,6 +574,7 @@ function init.index(name)
|
||||||
end
|
end
|
||||||
|
|
||||||
local function init_action(action, name)
|
local function init_action(action, name)
|
||||||
|
name = fs.basename(name)
|
||||||
if fs.access(init.dir..name) then
|
if fs.access(init.dir..name) then
|
||||||
return call("env -i %s%s %s >/dev/null" %{ init.dir, name, action })
|
return call("env -i %s%s %s >/dev/null" %{ init.dir, name, action })
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue