diff options
author | jim-p <jimp@pfsense.org> | 2015-12-04 15:49:50 -0500 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2015-12-04 15:49:50 -0500 |
commit | 44bcf766b9ddd4fd0a3327deb2213f9666aa6f4a (patch) | |
tree | 49822eaae579456f53f3868936efbeeaa454c3ce /src | |
parent | ba5c55e9e57fe0e42d7b25968874d00bf143f50b (diff) | |
download | pfsense-44bcf766b9ddd4fd0a3327deb2213f9666aa6f4a.zip pfsense-44bcf766b9ddd4fd0a3327deb2213f9666aa6f4a.tar.gz |
Address a potential LFI in pkg.php and wizard.php without breaking the ability to pass relative paths Restricts them to files under their intended base directories.
Diffstat (limited to 'src')
-rwxr-xr-x | src/usr/local/www/pkg.php | 10 | ||||
-rw-r--r-- | src/usr/local/www/wizard.php | 10 |
2 files changed, 16 insertions, 4 deletions
diff --git a/src/usr/local/www/pkg.php b/src/usr/local/www/pkg.php index 04e06ee..e318b52 100755 --- a/src/usr/local/www/pkg.php +++ b/src/usr/local/www/pkg.php @@ -83,8 +83,14 @@ if ($xml == "") { include("foot.inc"); exit; } else { - if (file_exists("/usr/local/pkg/" . $xml)) { - $pkg = parse_xml_config_pkg("/usr/local/pkg/" . $xml, "packagegui"); + $pkg_xml_prefix = "/usr/local/pkg/"; + $pkg_full_path = "{$pkg_xml_prefix}/{$xml}"; + if (substr_compare(realpath($pkg_full_path), $pkg_xml_prefix, 0, strlen($pkg_xml_prefix))) { + print_info_box_np(gettext("ERROR: Invalid path specified.")); + die; + } + if (file_exists($pkg_full_path)) { + $pkg = parse_xml_config_pkg($pkg_full_path, "packagegui"); } else { include("head.inc"); print_info_box_np(gettext("File not found ") . htmlspecialchars($xml)); diff --git a/src/usr/local/www/wizard.php b/src/usr/local/www/wizard.php index c47db6c..2f97112 100644 --- a/src/usr/local/www/wizard.php +++ b/src/usr/local/www/wizard.php @@ -97,8 +97,14 @@ if (empty($xml)) { print_info_box_np(sprintf(gettext("ERROR: Could not open %s."), $xml)); die; } else { - if (file_exists("{$g['www_path']}/wizards/{$xml}")) { - $pkg = parse_xml_config_pkg("{$g['www_path']}/wizards/" . $xml, "pfsensewizard"); + $wizard_xml_prefix = "{$g['www_path']}/wizards"; + $wizard_full_path = "{$wizard_xml_prefix}/{$xml}"; + if (substr_compare(realpath($wizard_full_path), $wizard_xml_prefix, 0, strlen($wizard_xml_prefix))) { + print_info_box_np(gettext("ERROR: Invalid path specified.")); + die; + } + if (file_exists($wizard_full_path)) { + $pkg = parse_xml_config_pkg($wizard_full_path, "pfsensewizard"); } else { print_info_box_np(sprintf(gettext("ERROR: Could not open %s."), $xml)); die; |