Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nextcloud/nextcloudpi.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authornachoparker <nacho@ownyourbits.com>2019-01-05 01:22:56 +0300
committernachoparker <nacho@ownyourbits.com>2019-01-05 04:14:53 +0300
commitc842e00399cb298667fe177dbab825e17b4b21a0 (patch)
tree55a80c3a09b9c4151fad10966d301b314dbec37d
parent7dd482893854079cbaf62671166a75330e3141dd (diff)
sanitize params
Diffstat
-rwxr-xr-xbin/ncp-config2
-rw-r--r--etc/library.sh2
-rw-r--r--ncp-web/ncp-launcher.php10
3 files changed, 11 insertions, 3 deletions
diff --git a/bin/ncp-config b/bin/ncp-config
index 6dd36171..e3af2911 100755
--- a/bin/ncp-config
+++ b/bin/ncp-config
@@ -96,7 +96,7 @@ function config_menu()
# launch selected ncp_app
info_app "$ncp_app" || continue
- configure_app "$ncp_app" || continue
+ configure_app "$ncp_app" && \
run_app "$ncp_app"
echo "Done. Press any key..."
read -r
diff --git a/etc/library.sh b/etc/library.sh
index 0282b9e7..02450bba 100644
--- a/etc/library.sh
+++ b/etc/library.sh
@@ -61,7 +61,7 @@ function configure_app()
for (( i = 0 ; i < len ; i++ )); do
# check for invalid characters
- grep -q "[;&[:space:]]" <<< "${ret_vals[$i]}" && { echo "Invalid characters in field ${vars[$i]}"; break; }
+ grep -q '[\\&#;`|*?~<>^()[{}$&[:space:]]' <<< "${ret_vals[$i]}" && { echo "Invalid characters in field ${vars[$i]}"; return 1; }
cfg="$(jq ".params[$i].value = \"${ret_vals[$i]}\"" <<<"$cfg")"
done
diff --git a/ncp-web/ncp-launcher.php b/ncp-web/ncp-launcher.php
index 8590b066..6f103f6b 100644
--- a/ncp-web/ncp-launcher.php
+++ b/ncp-web/ncp-launcher.php
@@ -58,7 +58,15 @@ if ( $_POST['action'] == "launch" && $_POST['config'] )
or exit('{ "output": "Invalid request" }');
foreach ($cfg['params'] as $index => $param)
- $cfg['params'][$index]['value'] = $new_params[$cfg['params'][$index]['id']];
+ {
+ // sanitize
+ $val = trim(escapeshellarg($new_params[$cfg['params'][$index]['id']]),"'");
+ preg_match( '/ /' , $val , $matches )
+ and exit( '{ "output": "Invalid parameters" , "token": "' . getCSRFToken() . '" }' );
+
+ // save
+ $cfg['params'][$index]['value'] = $val;
+ }
$cfg_str = json_encode($cfg)
or exit('{ "output": "' . $ncp_app . ' internal error" }');
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-30 23:18:38 +0300