cgi-io: require whitelisting upload locations
authorJo-Philipp Wich <jo@mein.io>
Fri, 30 Aug 2019 05:50:43 +0000 (07:50 +0200)
committerJohn Crispin <john@phrozen.org>
Fri, 30 Aug 2019 11:58:50 +0000 (13:58 +0200)
commite8e481e6183a4922b2db0880a47df906fabd892f
tree62ed1416303836f709047e893668d2ff61e0767e
parent8f3dfdf03b1121c54f60ff2fb3fc1bc2680089b7
cgi-io: require whitelisting upload locations

Introduce further ACL checks to verify that the request-supplied
upload location may be written to. This prevents overwriting things
like /bin/busybox and allows to confine uploads to specific directories.

To setup the required ACLs, the following ubus command may be used
on the command line:

ubus call session grant '{
  "ubus_rpc_session": "d41d8cd98f00b204e9800998ecf8427e",
  "scope": "cgi-io",
  "objects": [
    [ "/etc/certificates/*", "write" ],
    [ "/var/uploads/*", "write" ]
  ]
}'

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Makefile
src/main.c