--- /dev/null
+From a06aa79a308585cc6048f725f2dc3c1d55ff9991 Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Wed, 12 Jun 2019 08:57:29 +0100
+Subject: [PATCH] Fix remote code execution and privilege escalation
+ vulnerability.
+
+To trigger this, need to have a user already.
+
+Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
+
+CVE-2019-12816
+---
+ include/znc/Modules.h | 1 +
+ src/Modules.cpp | 33 ++++++++++++++++++++++++++++-----
+ 2 files changed, 29 insertions(+), 5 deletions(-)
+
+--- a/include/znc/Modules.h
++++ b/include/znc/Modules.h
+@@ -1253,6 +1253,7 @@ public:
+ private:
+ static ModHandle OpenModule(const CString& sModule, const CString& sModPath,
+ bool &bVersionMismatch, CModInfo& Info, CString& sRetMsg);
++ static bool ValidateModuleName(const CString& sModule, CString& sRetMsg);
+
+ protected:
+ CUser* m_pUser;
+--- a/src/Modules.cpp
++++ b/src/Modules.cpp
+@@ -1014,9 +1014,26 @@ CModule* CModules::FindModule(const CStr
+ return NULL;
+ }
+
++bool CModules::ValidateModuleName(const CString& sModule, CString& sRetMsg) {
++ for (unsigned int a = 0; a < sModule.length(); a++) {
++ if (((sModule[a] < '0') || (sModule[a] > '9')) &&
++ ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
++ ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
++ sRetMsg = "Module names can only contain letters, numbers and underscores, [" + sModule + "] is invalid.";
++ return false;
++ }
++ }
++
++ return true;
++}
++
+ bool CModules::LoadModule(const CString& sModule, const CString& sArgs, CModInfo::EModuleType eType, CUser* pUser, CIRCNetwork *pNetwork, CString& sRetMsg) {
+ sRetMsg = "";
+
++ if (!ValidateModuleName(sModule, sRetMsg)) {
++ return false;
++ }
++
+ if (FindModule(sModule) != NULL) {
+ sRetMsg = "Module [" + sModule + "] already loaded.";
+ return false;
+@@ -1167,6 +1184,10 @@ bool CModules::ReloadModule(const CStrin
+ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule, CString& sRetMsg) {
+ CString sModPath, sTmp;
+
++ if (!ValidateModuleName(sModule, sRetMsg)) {
++ return false;
++ }
++
+ bool bSuccess;
+ bool bHandled = false;
+ GLOBALMODULECALL(OnGetModInfo(ModInfo, sModule, bSuccess, sRetMsg), &bHandled);
+@@ -1183,6 +1204,10 @@ bool CModules::GetModInfo(CModInfo& ModI
+ bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule, const CString& sModPath, CString& sRetMsg) {
+ bool bVersionMismatch;
+
++ if (!ValidateModuleName(sModule, sRetMsg)) {
++ return false;
++ }
++
+ ModHandle p = OpenModule(sModule, sModPath, bVersionMismatch, ModInfo, sRetMsg);
+
+ if (!p)
+@@ -1302,11 +1327,9 @@ ModHandle CModules::OpenModule(const CSt
+ bVersionMismatch = false;
+ sRetMsg.clear();
+
+- for (unsigned int a = 0; a < sModule.length(); a++) {
+- if (((sModule[a] < '0') || (sModule[a] > '9')) && ((sModule[a] < 'a') || (sModule[a] > 'z')) && ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
+- sRetMsg = "Module names can only contain letters, numbers and underscores, [" + sModule + "] is invalid.";
+- return NULL;
+- }
++
++ if (!ValidateModuleName(sModule, sRetMsg)) {
++ return NULL;
+ }
+
+ // The second argument to dlopen() has a long history. It seems clear
projects / feed / packages.git / commitdiff