From 76c4ff0ecf269272aad3a6f06942596d2f0ab9ff Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Tue, 17 Jun 2014 09:28:35 -0300 Subject: Be more careful with host parameter and make sure it's escaped when call shell functions --- usr/local/www/diag_dns.php | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'usr/local/www/diag_dns.php') diff --git a/usr/local/www/diag_dns.php b/usr/local/www/diag_dns.php index fcdd330..bec923a 100644 --- a/usr/local/www/diag_dns.php +++ b/usr/local/www/diag_dns.php @@ -38,16 +38,17 @@ require("guiconfig.inc"); if ($_GET['host']) $_POST = $_GET; -if($_GET['createalias'] == "true") { - $host = trim($_POST['host']); +$host = trim($_POST['host'], " \t\n\r\0\x0B[];\"'"); +$host_esc = escapeshellarg($host); + +if($_GET['createalias'] == "true" && (is_hostname($host) || is_ipaddr($host))) { if($_GET['override']) $override = true; $a_aliases = &$config['aliases']['alias']; $type = "hostname"; $resolved = gethostbyname($host); if($resolved) { - $host = trim($_POST['host']); - $drill=`/usr/bin/drill "$host" A | grep "$host" | grep -v ";" | awk '{ print $5 }'`; + $drill=`/usr/bin/drill "{$host_esc}" A | grep "{$host_esc}" | grep -v ";" | awk '{ print $5 }'`; $resolved = explode("\n", $drill); $isfirst = true; foreach($resolved as $re) { @@ -93,8 +94,6 @@ if ($_POST) { $reqdfieldsn = explode(",", "Host"); do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); - $host = trim($_POST['host'], " \t\n\r\0\x0B[]"); - $host_esc = escapeshellarg($host); if (!is_hostname($host) && !is_ipaddr($host)) { $input_errors[] = gettext("Host must be a valid hostname or IP address."); @@ -130,7 +129,7 @@ if ($_POST) { $type = "hostname"; $resolved = gethostbyname($host); if($resolved) { - $drill=`/usr/bin/drill $host_esc A | grep $host_esc | grep -v ";" | awk '{ print $5 }'`; + $drill=`/usr/bin/drill {$host_esc} A | grep {$host_esc} | grep -v ";" | awk '{ print $5 }'`; $resolved = explode("\n", $drill); } $hostname = $host; -- cgit v1.1