From d06b0ef16f08c663acaa9725206650893fc1cd74 Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Sat, 15 May 2021 22:10:47 +0200
Subject: [PATCH] pakfire.cgi: Check user given package list for invalid
 characters.

Check the user given list of packages which should be installed or
removed for any unallowed characters.

Otherwise the list could contain manipulated elements, which will be passed to
the shell which calls the pakfire instance. This allows an attacker which is authenticated
to the WUI to perform RCE.

Fixes #12616.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 html/cgi-bin/pakfire.cgi | 45 +++++++++++++++++++++++++++++++++-------
 langs/de/cgi-bin/de.pl   |  1 +
 langs/en/cgi-bin/en.pl   |  1 +
 3 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/html/cgi-bin/pakfire.cgi b/html/cgi-bin/pakfire.cgi
index a9e12d23c1..4dad5b2c11 100644
--- a/html/cgi-bin/pakfire.cgi
+++ b/html/cgi-bin/pakfire.cgi
@@ -54,12 +54,19 @@ sub refreshpage{&Header::openbox( 'Waiting', 1, "<meta http-equiv='refresh' cont
 &Header::openpage($Lang::tr{'pakfire configuration'}, 1);
 &Header::openbigbox('100%', 'left', '', $errormessage);
 
+
 if ($cgiparams{'ACTION'} eq 'install'){
 	$cgiparams{'INSPAKS'} =~ s/\|/\ /g;
 	if ("$cgiparams{'FORCE'}" eq "on") {
-		my $command = "/usr/local/bin/pakfire install --non-interactive --no-colors $cgiparams{'INSPAKS'} &>/dev/null &";
-		system("$command");
-		system("/bin/sleep 1");
+		# Check for invalid package names.
+		if (&check_input($cgiparams{'INSPAKS'})) {
+			# Assign error message.
+			$errormessage = "$Lang::tr{'pakfire invalid characters in package list'}";
+		} else {
+			my $command = "/usr/local/bin/pakfire install --non-interactive --no-colors $cgiparams{'INSPAKS'} &>/dev/null &";
+			system("$command");
+			system("/bin/sleep 1");
+		}
 	} else {
 		&Header::openbox("100%", "center", $Lang::tr{'request'});
 		my @output = `/usr/local/bin/pakfire resolvedeps --no-colors $cgiparams{'INSPAKS'}`;
@@ -94,12 +101,17 @@ END
 		exit;
 	}
 } elsif ($cgiparams{'ACTION'} eq 'remove') {
-
 	$cgiparams{'DELPAKS'} =~ s/\|/\ /g;
 	if ("$cgiparams{'FORCE'}" eq "on") {
-		my $command = "/usr/local/bin/pakfire remove --non-interactive --no-colors $cgiparams{'DELPAKS'} &>/dev/null &";
-		system("$command");
-		system("/bin/sleep 1");
+		# Check for invalid package names.
+		if (&check_input($cgiparams{'DELPAKS'})) {
+			# Assign error message.
+			$errormessage = "$Lang::tr{'pakfire invalid characters in package list'}";
+		} else {
+			my $command = "/usr/local/bin/pakfire remove --non-interactive --no-colors $cgiparams{'DELPAKS'} &>/dev/null &";
+			system("$command");
+			system("/bin/sleep 1");
+		}
 	} else {
 		&Header::openbox("100%", "center", $Lang::tr{'request'});
 		my @output = `/usr/local/bin/pakfire resolvedeps --no-colors $cgiparams{'DELPAKS'}`;
@@ -315,3 +327,22 @@ END
 &Header::closebox();
 &Header::closebigbox();
 &Header::closepage();
+
+#
+## Function to check a given package list for invalid characters.
+#
+## Valid characters are a-z, A-Z, - and and the underscrore.
+## In case an invalid character will be detected, the function will return true.
+#
+sub check_input (@) {
+        my (@packages) = @_;
+
+	# Loop through the array of given pakages.
+	foreach my $name (@packages) {
+		# Check if it contains any unallowed charackters.
+		unless ($name =~ /^[\w-]+$/) {
+			# An unallowed character has been detected. Return "1" - True.
+			return 1;
+		}
+	}
+}
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 95af3155b5..1e24261361 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1974,6 +1974,7 @@
 'pakfire install description' => 'Wählen Sie ein oder mehrere Pakete zur Installation aus und drücken Sie auf das plus-Symbol.',
 'pakfire install package' => 'Sie möchten folgende Pakete installieren: ',
 'pakfire installed addons' => 'Installierte Addons:',
+'pakfire invalid characters in package list' => 'Die Paketliste beinhaltet ungültige Zeichen',
 'pakfire invalid tree' => '',
 'pakfire last core list update' => 'Letztes Corelisten Update ist',
 'pakfire last package update' => 'Letztes Paketlisten Update ist',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index dc1fd8d67b..23a954a6f9 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2005,6 +2005,7 @@
 'pakfire install description' => 'Please choose one or more items from the list below and click the plus to install.',
 'pakfire install package' => 'You want to install the following packages: ',
 'pakfire installed addons' => 'Installed Addons:',
+'pakfire invalid characters in package list' => 'The package list contains invalid characters',
 'pakfire invalid tree' => 'Invalid repository selected',
 'pakfire last core list update' => 'Last core list update made',
 'pakfire last package update' => 'Last packages list update made',
-- 
2.39.2