backup: Sanitise content of ADDON variable

author Michael Tremer <michael.tremer@ipfire.org>

Thu, 30 Aug 2018 09:28:45 +0000 (10:28 +0100)

committer Michael Tremer <michael.tremer@ipfire.org>

Thu, 13 Sep 2018 14:03:59 +0000 (15:03 +0100)
author Michael Tremer <michael.tremer@ipfire.org>
Thu, 30 Aug 2018 09:28:45 +0000 (10:28 +0100)
committer Michael Tremer <michael.tremer@ipfire.org>
Thu, 13 Sep 2018 14:03:59 +0000 (15:03 +0100)
diff --git a/html/cgi-bin/backup.cgi b/html/cgi-bin/backup.cgi

index d1f0d4dfa1fb66ce8de272a229e389a695c14e66..2a036279d58e5316db2f647977890dac0c586779 100644 (file)
--- a/html/cgi-bin/backup.cgi
+++ b/html/cgi-bin/backup.cgi
@@ -124,6 +124,12 @@ if ( $cgiparams{'ACTION'} eq "backup" )
  }
  if ( $cgiparams{'ACTION'} eq "addonbackup" )
  {
+       # Exit if there is any dots or slashes in the addon name
+       exit(1) if ($cgiparams{'ADDON'} =~ /(\.|\/)/);
+
+       # Check if the addon exists
+       exit(1) unless (-e "/var/ipfire/backup/addons/includes/$cgiparams{'ADDON'}");
+
         system("/usr/local/bin/backupctrl addonbackup $cgiparams{'ADDON'} >/dev/null 2>&1");
  }
  elsif ( $cgiparams{'ACTION'} eq "delete" )
author	Michael Tremer <michael.tremer@ipfire.org>
	Thu, 30 Aug 2018 09:28:45 +0000 (10:28 +0100)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Thu, 13 Sep 2018 14:03:59 +0000 (15:03 +0100)