Address a potential LFI in pkg.php and wizard.php without breaking the ability to pass relative paths Restricts them to files under their intended base directories.

author: jim-p <jimp@pfsense.org> 2015-12-04 15:49:50 -0500
committer: jim-p <jimp@pfsense.org> 2015-12-04 15:49:50 -0500
commit: 44bcf766b9ddd4fd0a3327deb2213f9666aa6f4a (patch)
tree: 49822eaae579456f53f3868936efbeeaa454c3ce /src/usr/local/www/pkg.php
parent: ba5c55e9e57fe0e42d7b25968874d00bf143f50b (diff)
download: pfsense-44bcf766b9ddd4fd0a3327deb2213f9666aa6f4a.zip
pfsense-44bcf766b9ddd4fd0a3327deb2213f9666aa6f4a.tar.gz
1 files changed, 8 insertions, 2 deletions
diff --git a/src/usr/local/www/pkg.php b/src/usr/local/www/pkg.php
index 04e06ee..e318b52 100755
--- a/src/usr/local/www/pkg.php
+++ b/src/usr/local/www/pkg.php
@@ -83,8 +83,14 @@ if ($xml == "") {
 	include("foot.inc");
 	exit;
 } else {
-	if (file_exists("/usr/local/pkg/" . $xml)) {
-		$pkg = parse_xml_config_pkg("/usr/local/pkg/" . $xml, "packagegui");
+	$pkg_xml_prefix = "/usr/local/pkg/";
+	$pkg_full_path = "{$pkg_xml_prefix}/{$xml}";
+	if (substr_compare(realpath($pkg_full_path), $pkg_xml_prefix, 0, strlen($pkg_xml_prefix))) {
+		print_info_box_np(gettext("ERROR: Invalid path specified."));
+		die;
+	}
+	if (file_exists($pkg_full_path)) {
+		$pkg = parse_xml_config_pkg($pkg_full_path, "packagegui");
 	} else {
 		include("head.inc");
 		print_info_box_np(gettext("File not found ") . htmlspecialchars($xml));
author	jim-p <jimp@pfsense.org>	2015-12-04 15:49:50 -0500
committer	jim-p <jimp@pfsense.org>	2015-12-04 15:49:50 -0500
commit	44bcf766b9ddd4fd0a3327deb2213f9666aa6f4a (patch)
tree	49822eaae579456f53f3868936efbeeaa454c3ce /src/usr/local/www/pkg.php
parent	ba5c55e9e57fe0e42d7b25968874d00bf143f50b (diff)
download	pfsense-44bcf766b9ddd4fd0a3327deb2213f9666aa6f4a.zip pfsense-44bcf766b9ddd4fd0a3327deb2213f9666aa6f4a.tar.gz