summaryrefslogtreecommitdiffstats
path: root/usr/local/www
diff options
context:
space:
mode:
authorRenato Botelho <garga@FreeBSD.org>2014-06-18 13:46:08 -0300
committerRenato Botelho <garga@FreeBSD.org>2014-06-18 13:46:08 -0300
commit811baa9bf50571bac372ddea0df5771fe1167d7b (patch)
tree5179bf23f82fe4201106446e40ea52974f36fa22 /usr/local/www
parente8abc4a76a2945525286fdff49cb0271594716ca (diff)
downloadpfsense-811baa9bf50571bac372ddea0df5771fe1167d7b.zip
pfsense-811baa9bf50571bac372ddea0df5771fe1167d7b.tar.gz
We need to allow subdirectories under /usr/local/pkg, here is the proper fix
Diffstat (limited to 'usr/local/www')
-rwxr-xr-xusr/local/www/pkg_edit.php12
1 files changed, 5 insertions, 7 deletions
diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php
index faefc7d..d00ebd0 100755
--- a/usr/local/www/pkg_edit.php
+++ b/usr/local/www/pkg_edit.php
@@ -65,16 +65,14 @@ function domTT_title($title_msg){
$xml = htmlspecialchars($_GET['xml']);
if($_POST['xml']) $xml = htmlspecialchars($_POST['xml']);
-$xml = basename($xml);
+$xml_fullpath = realpath('/usr/local/pkg/' . $xml);
-if ($xml == "") {
- print_info_box_np(gettext("ERROR: No package defined."));
- die;
-} else if (!file_exists('/usr/local/pkg/' . $xml)) {
- print_info_box_np(gettext("ERROR: XML file not found"));
+if ($xml == "" || $xml_fullpath === false ||
+ substr($xml_fullpath, 0, strlen('/usr/local/pkg/')) != '/usr/local/pkg/') {
+ print_info_box_np(gettext("ERROR: No valid package defined."));
die;
} else {
- $pkg = parse_xml_config_pkg("/usr/local/pkg/" . $xml, "packagegui");
+ $pkg = parse_xml_config_pkg($xml_fullpath, "packagegui");
}
if($pkg['include_file'] <> "") {
OpenPOWER on IntegriCloud