pakfire.cgi: Check user given package list for invalid characters.

[people/stevee/ipfire-2.x.git] / html / cgi-bin / pakfire.cgi

diff --git a/html/cgi-bin/pakfire.cgi b/html/cgi-bin/pakfire.cgi
index a9e12d23c181a39b5ee1b5813d3de920661f7ff0..4dad5b2c11ea5f72e6d096c3bba12ab864f23487 100644 (file)
--- a/html/cgi-bin/pakfire.cgi
+++ b/html/cgi-bin/pakfire.cgi
@@ -54,12 +54,19 @@ sub refreshpage{&Header::openbox( 'Waiting', 1, "<meta http-equiv='refresh' cont
 &Header::openpage($Lang::tr{'pakfire configuration'}, 1);
 &Header::openbigbox('100%', 'left', '', $errormessage);
 
+
 if ($cgiparams{'ACTION'} eq 'install'){
        $cgiparams{'INSPAKS'} =~ s/\|/\ /g;
        if ("$cgiparams{'FORCE'}" eq "on") {
-               my $command = "/usr/local/bin/pakfire install --non-interactive --no-colors $cgiparams{'INSPAKS'} &>/dev/null &";
-               system("$command");
-               system("/bin/sleep 1");
+               # Check for invalid package names.
+               if (&check_input($cgiparams{'INSPAKS'})) {
+                       # Assign error message.
+                       $errormessage = "$Lang::tr{'pakfire invalid characters in package list'}";
+               } else {
+                       my $command = "/usr/local/bin/pakfire install --non-interactive --no-colors $cgiparams{'INSPAKS'} &>/dev/null &";
+                       system("$command");
+                       system("/bin/sleep 1");
+               }
        } else {
                &Header::openbox("100%", "center", $Lang::tr{'request'});
                my @output = `/usr/local/bin/pakfire resolvedeps --no-colors $cgiparams{'INSPAKS'}`;
@@ -94,12 +101,17 @@ END
                exit;
        }
 } elsif ($cgiparams{'ACTION'} eq 'remove') {
-
        $cgiparams{'DELPAKS'} =~ s/\|/\ /g;
        if ("$cgiparams{'FORCE'}" eq "on") {
-               my $command = "/usr/local/bin/pakfire remove --non-interactive --no-colors $cgiparams{'DELPAKS'} &>/dev/null &";
-               system("$command");
-               system("/bin/sleep 1");
+               # Check for invalid package names.
+               if (&check_input($cgiparams{'DELPAKS'})) {
+                       # Assign error message.
+                       $errormessage = "$Lang::tr{'pakfire invalid characters in package list'}";
+               } else {
+                       my $command = "/usr/local/bin/pakfire remove --non-interactive --no-colors $cgiparams{'DELPAKS'} &>/dev/null &";
+                       system("$command");
+                       system("/bin/sleep 1");
+               }
        } else {
                &Header::openbox("100%", "center", $Lang::tr{'request'});
                my @output = `/usr/local/bin/pakfire resolvedeps --no-colors $cgiparams{'DELPAKS'}`;
@@ -315,3 +327,22 @@ END
 &Header::closebox();
 &Header::closebigbox();
 &Header::closepage();
+
+#
+## Function to check a given package list for invalid characters.
+#
+## Valid characters are a-z, A-Z, - and and the underscrore.
+## In case an invalid character will be detected, the function will return true.
+#
+sub check_input (@) {
+        my (@packages) = @_;
+
+       # Loop through the array of given pakages.
+       foreach my $name (@packages) {
+               # Check if it contains any unallowed charackters.
+               unless ($name =~ /^[\w-]+$/) {
+                       # An unallowed character has been detected. Return "1" - True.
+                       return 1;
+               }
+       }
+}