From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 30 Aug 2018 09:28:45 +0000 (+0100)
Subject: backup: Sanitise content of ADDON variable
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8bf12ea32976508950b0f2e7e5d8b977ae7ea240;p=people%2Fms%2Fipfire-2.x.git

backup: Sanitise content of ADDON variable

References: #11830

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/html/cgi-bin/backup.cgi b/html/cgi-bin/backup.cgi
index d1f0d4dfa1..2a036279d5 100644
--- a/html/cgi-bin/backup.cgi
+++ b/html/cgi-bin/backup.cgi
@@ -124,6 +124,12 @@ if ( $cgiparams{'ACTION'} eq "backup" )
 }
 if ( $cgiparams{'ACTION'} eq "addonbackup" )
 {
+	# Exit if there is any dots or slashes in the addon name
+	exit(1) if ($cgiparams{'ADDON'} =~ /(\.|\/)/);
+
+	# Check if the addon exists
+	exit(1) unless (-e "/var/ipfire/backup/addons/includes/$cgiparams{'ADDON'}");
+
 	system("/usr/local/bin/backupctrl addonbackup $cgiparams{'ADDON'} >/dev/null 2>&1");
 }
 elsif ( $cgiparams{'ACTION'} eq "delete" )