From 1758331c1875263b8b4a1176de1a0056d1f7d0c7 Mon Sep 17 00:00:00 2001
From: nachoparker <nacho@ownyourbits.com>
Date: Sat, 27 Oct 2018 08:00:15 -0600
Subject: check for path transversal

---
 changelog.md |  8 +++++---
 ncp.sh       |  3 ++-
 update.sh    | 12 ++++++++++++
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/changelog.md b/changelog.md
index 25e0bf7a..0382d4f9 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,9 +1,11 @@
 
-[v0.64.10](https://github.com/nextcloud/nextcloudpi/commit/f836c87) (2018-10-24) update: update sources
+[v0.64.11](https://github.com/nextcloud/nextcloudpi/commit/89218e5) (2018-10-27) check for path transversal
 
-[v0.64.9](https://github.com/nextcloud/nextcloudpi/commit/b847ad4) (2018-10-23) ncp-config: use simple characters
+[v0.64.10](https://github.com/nextcloud/nextcloudpi/commit/26083e9) (2018-10-24) update: update sources
 
-[v0.64.8 ](https://github.com/nextcloud/nextcloudpi/commit/dceacdf) (2018-10-22) ncp-web: update chinese translations
+[v0.64.9 ](https://github.com/nextcloud/nextcloudpi/commit/54e5c21) (2018-10-23) ncp-config: use simple characters
+
+[v0.64.8 ](https://github.com/nextcloud/nextcloudpi/commit/9d998ae) (2018-10-22) ncp-web: update chinese translations
 
 [v0.64.7 ](https://github.com/nextcloud/nextcloudpi/commit/20a4147) (2018-10-21) ncp-web: update chinese translations
 
diff --git a/ncp.sh b/ncp.sh
index 2ebf2da7..900d5e6a 100644
--- a/ncp.sh
+++ b/ncp.sh
@@ -130,7 +130,8 @@ EOF
   cat > /home/www/ncp-launcher.sh <<'EOF'
 #!/bin/bash
 DIR=/usr/local/etc/ncp-config.d
-test -f $DIR/$1 || { echo "File not found"; exit 1; }
+[[ -f $DIR/$1  ]] || { echo "File not found"; exit 1; }
+[[ "$1" =~ ../ ]] && { echo "Forbidden path"; exit 2; }
 source /usr/local/etc/library.sh
 cd $DIR
 launch_script $1
diff --git a/update.sh b/update.sh
index 58bde136..698ef844 100755
--- a/update.sh
+++ b/update.sh
@@ -218,6 +218,18 @@ EOF
   [[ "$( ls -l /etc/php/7.2/fpm/conf.d/*-opcache.ini |  wc -l )" -gt 1 ]] && rm "$( ls /etc/php/7.2/fpm/conf.d/*-opcache.ini | tail -1 )"
   [[ "$( ls -l /etc/php/7.2/cli/conf.d/*-opcache.ini |  wc -l )" -gt 1 ]] && rm "$( ls /etc/php/7.2/cli/conf.d/*-opcache.ini | tail -1 )"
 
+  # update launcher
+  cat > /home/www/ncp-launcher.sh <<'EOF'
+#!/bin/bash
+DIR=/usr/local/etc/ncp-config.d
+[[ -f $DIR/$1  ]] || { echo "File not found"; exit 1; }
+[[ "$1" =~ ../ ]] && { echo "Forbidden path"; exit 2; }
+source /usr/local/etc/library.sh
+cd $DIR
+launch_script $1
+EOF
+  chmod 700 /home/www/ncp-launcher.sh
+
 } # end - only live updates
 
 exit 0
-- 
cgit v1.2.3