pakfire.cgi: Check user given package list for invalid characters. bugfix-12616
authorStefan Schantl <stefan.schantl@ipfire.org>
Sat, 15 May 2021 20:10:47 +0000 (22:10 +0200)
committerStefan Schantl <stefan.schantl@ipfire.org>
Sat, 15 May 2021 20:10:47 +0000 (22:10 +0200)
commitd06b0ef16f08c663acaa9725206650893fc1cd74
tree5a78b7fb3dd4911855b35a817fedd9af44637565
parentcf3806f27ca0d53ed0e1c28e4e23e4cd53816da6
pakfire.cgi: Check user given package list for invalid characters.

Check the user given list of packages which should be installed or
removed for any unallowed characters.

Otherwise the list could contain manipulated elements, which will be passed to
the shell which calls the pakfire instance. This allows an attacker which is authenticated
to the WUI to perform RCE.

Fixes #12616.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
html/cgi-bin/pakfire.cgi
langs/de/cgi-bin/de.pl
langs/en/cgi-bin/en.pl