Validate input in php-admin to avoid altering arbitrary files

(Florian Streibelt, Morten Shearman Kirkegaard)

diff --git a/ChangeLog b/ChangeLog
index f03209cf7f0145bd373848f5b32813f08cbc9dcb..1196af3b6d7e964b732fdf25129d6593b4d00ae2 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,5 @@
+ o Fixed security bug in mlmmj-php-admin (Florian Streibelt, Morten Shearman
+   Kirkegaard)
  o Added contrib/amime-receive (Gerd v. Egidy)
  o Fixed memory leak in substitute_one() (Ben Schmidt)
  o Updated German listtexts (Christoph Wilke)

diff --git a/contrib/web/php-admin/htdocs/edit.php b/contrib/web/php-admin/htdocs/edit.php
index aad64ca65368a16ff7a1d65342185a4964b6fec9..d61d09911eaf49dc2ca66a29707c9d0fa412feed 100644 (file)
--- a/contrib/web/php-admin/htdocs/edit.php
+++ b/contrib/web/php-admin/htdocs/edit.php
@@ -104,6 +104,15 @@ $list = $HTTP_GET_VARS["list"];
 if(!isset($list))
 die("no list specified");
 
+if (strchr($list, "/") !== false)
+die("slash in list name");
+
+if ($list == ".")
+die("list name is dot");
+
+if ($list == "..")
+die("list name is dot-dot");
+
 if(!is_dir($topdir."/".$list))
 die("non-existent list");
 

diff --git a/contrib/web/php-admin/htdocs/save.php b/contrib/web/php-admin/htdocs/save.php
index aac84703da7be2797715947bc8281d529abe260b..c59a21320266c75c4e7507f95277ac36db85c329 100644 (file)
--- a/contrib/web/php-admin/htdocs/save.php
+++ b/contrib/web/php-admin/htdocs/save.php
@@ -79,6 +79,15 @@ $list = $HTTP_POST_VARS["list"];
 if(!isset($list))
 die("no list specified");
 
+if (strchr($list, "/") !== false)
+die("slash in list name");
+
+if ($list == ".")
+die("list name is dot");
+
+if ($list == "..")
+die("list name is dot-dot");
+
 if(!is_dir($topdir."/".$list))
 die("non-existent list");