diff options
| author | jim-p <jimp@netgate.com> | 2019-05-10 15:28:27 -0400 |
|---|---|---|
| committer | jim-p <jimp@netgate.com> | 2019-05-10 15:30:46 -0400 |
| commit | ffe379addebcd980399502f31ecdb81e235b1ca5 (patch) | |
| tree | 46f4d88c234cff4831174dd0cfb5ba024619cb9f | |
| parent | 2d7ec8bfddb1ddac51426d03f59f3cdc5b8086a2 (diff) | |
| download | pfsense-ffe379addebcd980399502f31ecdb81e235b1ca5.zip pfsense-ffe379addebcd980399502f31ecdb81e235b1ca5.tar.gz | |
Strengthen path privilege check. Fixes #9513
* Removes/resolves any relative paths in the submitted URL
* Validates that the file exists
* Trims the path component off after in a nicer way
(cherry picked from commit 0604f68855ff65b92cdebd57a08a2ceccbef675c)
| -rw-r--r-- | src/etc/inc/auth_func.inc | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/etc/inc/auth_func.inc b/src/etc/inc/auth_func.inc index f1536d4..5bdee86 100644 --- a/src/etc/inc/auth_func.inc +++ b/src/etc/inc/auth_func.inc @@ -30,6 +30,7 @@ function cmp_page_matches($page, & $matches, $fullwc = true) { + global $g; // $dbg_matches = implode(",", $matches); // log_error("debug: checking page {$page} match with {$dbg_matches}"); @@ -37,11 +38,14 @@ function cmp_page_matches($page, & $matches, $fullwc = true) { return false; } - /* skip any leading fwdslash */ - $test = strpos($page, "/"); - if ($test !== false && $test == 0) { - $page = substr($page, 1); + list($file, $query) = explode('?', $page); + $file = realpath( $g['www_path'] . '/' . ltrim($file, '/')); + if (empty($file)) { + /* File does not exist, or other path shenanigans */ + return false; } + $page = str_replace($g['www_path'] . '/', '', $file); + $page .= (!empty($query)) ? "?{$query}" : ""; /* look for a match */ foreach ($matches as $match) { |
