From 69eb2e295fbbea1ff16d4b20e7e056b70469aad4 Mon Sep 17 00:00:00 2001
From: Renato Botelho <garga@FreeBSD.org>
Date: Tue, 17 Jun 2014 10:33:05 -0300
Subject: Avoid directory traversal when reading package xml files, also check
 if file exists before try to read it

---
 usr/local/www/pkg_edit.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'usr/local')

diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php
index 792ac43..9fb48fc 100644
--- a/usr/local/www/pkg_edit.php
+++ b/usr/local/www/pkg_edit.php
@@ -65,9 +65,14 @@ function domTT_title($title_msg){
 $xml = htmlspecialchars($_GET['xml']);
 if($_POST['xml']) $xml = htmlspecialchars($_POST['xml']);
 
-if($xml == "") {
+$xml = basename($xml);
+
+if ($xml == "") {
             print_info_box_np(gettext("ERROR: No package defined."));
             die;
+} else if (!file_exists('/usr/local/pkg/' . $xml)) {
+            print_info_box_np(gettext("ERROR: XML file not found"));
+            die;
 } else {
             $pkg = parse_xml_config_pkg("/usr/local/pkg/" . $xml, "packagegui");
 }
-- 
cgit v1.1