From 3ac0284805ce357552c3ccaeff0a9aadd0c6ea13 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Fri, 4 Dec 2015 15:37:20 -0500
Subject: Address a potential LFI in pkg.php and wizard.php without breaking
 the ability to pass relative paths Restricts them to files under their
 intended base directories.

---
 usr/local/www/pkg.php    | 11 +++++++++--
 usr/local/www/wizard.php | 11 +++++++++--
 2 files changed, 18 insertions(+), 4 deletions(-)

(limited to 'usr/local')

diff --git a/usr/local/www/pkg.php b/usr/local/www/pkg.php
index 9173965..e07206e 100755
--- a/usr/local/www/pkg.php
+++ b/usr/local/www/pkg.php
@@ -56,8 +56,15 @@ if($xml == "") {
 	print_info_box_np(gettext("ERROR: No package defined."));
 	exit;
 } else {
-	if(file_exists("/usr/local/pkg/" . $xml))
-		$pkg = parse_xml_config_pkg("/usr/local/pkg/" . $xml, "packagegui");
+	$pkg_xml_prefix = "/usr/local/pkg/";
+	$pkg_full_path = "{$pkg_xml_prefix}/{$xml}";
+	if (substr_compare(realpath($pkg_full_path), $pkg_xml_prefix, 0, strlen($pkg_xml_prefix))) {
+		print_info_box_np(gettext("ERROR: Invalid path specified."));
+		die;
+	}
+
+	if(file_exists($pkg_full_path))
+		$pkg = parse_xml_config_pkg($pkg_full_path, "packagegui");
 	else {
 		echo "File not found " . htmlspecialchars($xml);
 		exit;
diff --git a/usr/local/www/wizard.php b/usr/local/www/wizard.php
index 251c58f..d5aa350 100644
--- a/usr/local/www/wizard.php
+++ b/usr/local/www/wizard.php
@@ -66,8 +66,15 @@ if(empty($xml)) {
 	print_info_box_np(sprintf(gettext("ERROR:  Could not open %s."), $xml));
 	die;
 } else {
-	if (file_exists("{$g['www_path']}/wizards/{$xml}"))
-		$pkg = parse_xml_config_pkg("{$g['www_path']}/wizards/" . $xml, "pfsensewizard");
+	$wizard_xml_prefix = "{$g['www_path']}/wizards";
+	$wizard_full_path = "{$wizard_xml_prefix}/{$xml}";
+	if (substr_compare(realpath($wizard_full_path), $wizard_xml_prefix, 0, strlen($wizard_xml_prefix))) {
+		print_info_box_np(gettext("ERROR: Invalid path specified."));
+		die;
+	}
+
+	if (file_exists($wizard_full_path))
+		$pkg = parse_xml_config_pkg($wizard_full_path, "pfsensewizard");
 	else {
 		print_info_box_np(sprintf(gettext("ERROR:  Could not open %s."), $xml));
 		die;
-- 
cgit v1.1