summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2015-12-04 15:37:20 -0500
committerjim-p <jimp@pfsense.org>2015-12-04 15:38:39 -0500
commit3ac0284805ce357552c3ccaeff0a9aadd0c6ea13 (patch)
treef82bb7aef5c4d0657d69384a12193c0fc06aa826
parentdc77f0053210af6b9ec24d4ea97268b832eddfdf (diff)
downloadpfsense-3ac0284805ce357552c3ccaeff0a9aadd0c6ea13.zip
pfsense-3ac0284805ce357552c3ccaeff0a9aadd0c6ea13.tar.gz
Address a potential LFI in pkg.php and wizard.php without breaking the ability to pass relative paths
Restricts them to files under their intended base directories.
-rwxr-xr-xusr/local/www/pkg.php11
-rw-r--r--usr/local/www/wizard.php11
2 files changed, 18 insertions, 4 deletions
diff --git a/usr/local/www/pkg.php b/usr/local/www/pkg.php
index 9173965..e07206e 100755
--- a/usr/local/www/pkg.php
+++ b/usr/local/www/pkg.php
@@ -56,8 +56,15 @@ if($xml == "") {
print_info_box_np(gettext("ERROR: No package defined."));
exit;
} else {
- if(file_exists("/usr/local/pkg/" . $xml))
- $pkg = parse_xml_config_pkg("/usr/local/pkg/" . $xml, "packagegui");
+ $pkg_xml_prefix = "/usr/local/pkg/";
+ $pkg_full_path = "{$pkg_xml_prefix}/{$xml}";
+ if (substr_compare(realpath($pkg_full_path), $pkg_xml_prefix, 0, strlen($pkg_xml_prefix))) {
+ print_info_box_np(gettext("ERROR: Invalid path specified."));
+ die;
+ }
+
+ if(file_exists($pkg_full_path))
+ $pkg = parse_xml_config_pkg($pkg_full_path, "packagegui");
else {
echo "File not found " . htmlspecialchars($xml);
exit;
diff --git a/usr/local/www/wizard.php b/usr/local/www/wizard.php
index 251c58f..d5aa350 100644
--- a/usr/local/www/wizard.php
+++ b/usr/local/www/wizard.php
@@ -66,8 +66,15 @@ if(empty($xml)) {
print_info_box_np(sprintf(gettext("ERROR: Could not open %s."), $xml));
die;
} else {
- if (file_exists("{$g['www_path']}/wizards/{$xml}"))
- $pkg = parse_xml_config_pkg("{$g['www_path']}/wizards/" . $xml, "pfsensewizard");
+ $wizard_xml_prefix = "{$g['www_path']}/wizards";
+ $wizard_full_path = "{$wizard_xml_prefix}/{$xml}";
+ if (substr_compare(realpath($wizard_full_path), $wizard_xml_prefix, 0, strlen($wizard_xml_prefix))) {
+ print_info_box_np(gettext("ERROR: Invalid path specified."));
+ die;
+ }
+
+ if (file_exists($wizard_full_path))
+ $pkg = parse_xml_config_pkg($wizard_full_path, "pfsensewizard");
else {
print_info_box_np(sprintf(gettext("ERROR: Could not open %s."), $xml));
die;
OpenPOWER on IntegriCloud