From 5de855ffecc49899a58d6078fb45afe42d3fe43a Mon Sep 17 00:00:00 2001 From: nachoparker Date: Sat, 1 Jun 2019 15:43:09 -0600 Subject: ncp-web: avoid quotes in fields Signed-off-by: nachoparker --- changelog.md | 4 +++- etc/library.sh | 2 +- ncp-web/ncp-launcher.php | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/changelog.md b/changelog.md index bc04b630..6c384f7b 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,7 @@ -[v1.13.0](https://github.com/nextcloud/nextcloudpi/commit/4572d74) (2019-06-01) upgrade to NC15.0.8 +[v1.13.1](https://github.com/nextcloud/nextcloudpi/commit/18172be) (2019-06-01) ncp-web: avoid quotes in fields + +[v1.13.0](https://github.com/nextcloud/nextcloudpi/commit/86f14ae) (2019-06-01) upgrade to NC15.0.8 [v1.12.10](https://github.com/nextcloud/nextcloudpi/commit/5924131) (2019-06-01) fail2ban: fix missing ufw filter diff --git a/etc/library.sh b/etc/library.sh index 1b41fe2c..7e124638 100644 --- a/etc/library.sh +++ b/etc/library.sh @@ -62,7 +62,7 @@ function configure_app() for (( i = 0 ; i < len ; i++ )); do # check for invalid characters - grep -q '[\\&#;`|*?~<>^()[{}$&[:space:]]' <<< "${ret_vals[$i]}" && { echo "Invalid characters in field ${vars[$i]}"; return 1; } + grep -q '[\\&#;'"'"'`|*?~<>^"()[{}$&[:space:]]' <<< "${ret_vals[$i]}" && { echo "Invalid characters in field ${vars[$i]}"; return 1; } cfg="$(jq ".params[$i].value = \"${ret_vals[$i]}\"" <<<"$cfg")" done diff --git a/ncp-web/ncp-launcher.php b/ncp-web/ncp-launcher.php index 122a43ba..a74bb01a 100644 --- a/ncp-web/ncp-launcher.php +++ b/ncp-web/ncp-launcher.php @@ -66,7 +66,7 @@ if ( $_POST['action'] == "launch" && $_POST['config'] ) // sanitize $val = trim(escapeshellarg($new_params[$id]),"'"); - preg_match( '/ /' , $val , $matches ) + preg_match( '/[\'" ]/' , $val , $matches ) and exit( '{ "output": "Invalid parameters" , "token": "' . getCSRFToken() . '" }' ); // save -- cgit v1.2.3