diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-06-17 11:17:15 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-06-17 11:17:23 -0300 |
commit | 7145cd87d1f6c67c900f6966df5f2d0ace50e109 (patch) | |
tree | 0fe6ffcc191d1f49b9231b17c47935cef198cd79 /usr | |
parent | c3936caf80b590f65bba7829db53bc0da4ef6a67 (diff) | |
download | pfsense-7145cd87d1f6c67c900f6966df5f2d0ace50e109.zip pfsense-7145cd87d1f6c67c900f6966df5f2d0ace50e109.tar.gz |
Remove . and / from pkg name to avoid directory traversal
Diffstat (limited to 'usr')
-rw-r--r-- | usr/local/www/pkg_mgr_install.php | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/usr/local/www/pkg_mgr_install.php b/usr/local/www/pkg_mgr_install.php index a157734..2f5d04c 100644 --- a/usr/local/www/pkg_mgr_install.php +++ b/usr/local/www/pkg_mgr_install.php @@ -105,11 +105,11 @@ if ($_POST) { </tr> <?php if ((empty($_GET['mode']) && $_GET['id']) || (!empty($_GET['mode']) && (!empty($_GET['pkg']) || $_GET['mode'] == 'reinstallall') && ($_GET['mode'] != 'installedinfo' && $_GET['mode'] != 'showlog'))): if (empty($_GET['mode']) && $_GET['id']) { - $pkgname = str_replace(array("<", ">", ";", "&", "'", '"'), "", htmlspecialchars_decode($_GET['id'], ENT_QUOTES | ENT_HTML401)); + $pkgname = str_replace(array("<", ">", ";", "&", "'", '"', '.', '/'), "", htmlspecialchars_decode($_GET['id'], ENT_QUOTES | ENT_HTML401)); $pkgmode = 'installed'; } else if (!empty($_GET['mode']) && !empty($_GET['pkg'])) { - $pkgname = str_replace(array("<", ">", ";", "&", "'", '"'), "", htmlspecialchars_decode($_GET['pkg'], ENT_QUOTES | ENT_HTML401)); - $pkgmode = str_replace(array("<", ">", ";", "&", "'", '"'), "", htmlspecialchars_decode($_GET['mode'], ENT_QUOTES | ENT_HTML401)); + $pkgname = str_replace(array("<", ">", ";", "&", "'", '"', '.', '/'), "", htmlspecialchars_decode($_GET['pkg'], ENT_QUOTES | ENT_HTML401)); + $pkgmode = str_replace(array("<", ">", ";", "&", "'", '"', '.', '/'), "", htmlspecialchars_decode($_GET['mode'], ENT_QUOTES | ENT_HTML401)); } else if ($_GET['mode'] == 'reinstallall') { $pkgmode = 'reinstallall'; } @@ -188,7 +188,7 @@ Rounded("div#mainareapkg","bl br","#FFF","#eeeeee","smooth"); ob_flush(); if ($_GET) { - $pkgname = str_replace(array("<", ">", ";", "&", "'", '"'), "", htmlspecialchars_decode($_GET['pkg'], ENT_QUOTES | ENT_HTML401)); + $pkgname = str_replace(array("<", ">", ";", "&", "'", '"', '.', '/'), "", htmlspecialchars_decode($_GET['pkg'], ENT_QUOTES | ENT_HTML401)); switch($_GET['mode']) { case 'showlog': if (strpos($pkgname, ".")) { @@ -210,7 +210,7 @@ if ($_GET) { break; } } else if ($_POST) { - $pkgid = str_replace(array("<", ">", ";", "&", "'", '"'), "", htmlspecialchars_decode($_POST['id'], ENT_QUOTES | ENT_HTML401)); + $pkgid = str_replace(array("<", ">", ";", "&", "'", '"', '.', '/'), "", htmlspecialchars_decode($_POST['id'], ENT_QUOTES | ENT_HTML401)); /* All other cases make changes, so mount rw fs */ conf_mount_rw(); |