diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-06-18 13:46:08 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-06-18 13:46:23 -0300 |
commit | bef9f697b5158b8a25b9b8019228ad1dbddb1530 (patch) | |
tree | d6ec474532ccff1cea259a2be9f4c6438de6c4ce /usr | |
parent | 08f303203418306290d8393f0a77fcba4fab70d5 (diff) | |
download | pfsense-bef9f697b5158b8a25b9b8019228ad1dbddb1530.zip pfsense-bef9f697b5158b8a25b9b8019228ad1dbddb1530.tar.gz |
We need to allow subdirectories under /usr/local/pkg, here is the proper fix
Diffstat (limited to 'usr')
-rw-r--r-- | usr/local/www/pkg_edit.php | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php index 9fb48fc..816114d 100644 --- a/usr/local/www/pkg_edit.php +++ b/usr/local/www/pkg_edit.php @@ -65,16 +65,14 @@ function domTT_title($title_msg){ $xml = htmlspecialchars($_GET['xml']); if($_POST['xml']) $xml = htmlspecialchars($_POST['xml']); -$xml = basename($xml); +$xml_fullpath = realpath('/usr/local/pkg/' . $xml); -if ($xml == "") { - print_info_box_np(gettext("ERROR: No package defined.")); - die; -} else if (!file_exists('/usr/local/pkg/' . $xml)) { - print_info_box_np(gettext("ERROR: XML file not found")); +if ($xml == "" || $xml_fullpath === false || + substr($xml_fullpath, 0, strlen('/usr/local/pkg/')) != '/usr/local/pkg/') { + print_info_box_np(gettext("ERROR: No valid package defined.")); die; } else { - $pkg = parse_xml_config_pkg("/usr/local/pkg/" . $xml, "packagegui"); + $pkg = parse_xml_config_pkg($xml_fullpath, "packagegui"); } if($pkg['include_file'] <> "") { |