luci-base: sys: prevent path traversal via sys.init routines
authorJo-Philipp Wich <jo@mein.io>
Wed, 19 Jan 2022 15:32:52 +0000 (16:32 +0100)
committerJo-Philipp Wich <jo@mein.io>
Wed, 19 Jan 2022 15:34:21 +0000 (16:34 +0100)
Filter the init script name parameter through fs.basename() to avoid
invoking paths outside of /etc/init.d/.

Reported-by: Graham R <gr348@cam.ac.uk>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 8752701b0d01a81d0bd0a735be733f24ad11ab69)

modules/luci-base/luasrc/sys.lua

index bf21b5f191a71a2d6cc66cc1553767c543b0f1f2..bfbd6f2fe6b4ed8c8fc8afddf127a38c0bae9df6 100644 (file)
@@ -566,6 +566,7 @@ function init.names()
 end
 
 function init.index(name)
+       name = fs.basename(name)
        if fs.access(init.dir..name) then
                return call("env -i sh -c 'source %s%s enabled; exit ${START:-255}' >/dev/null"
                        %{ init.dir, name })
@@ -573,6 +574,7 @@ function init.index(name)
 end
 
 local function init_action(action, name)
+       name = fs.basename(name)
        if fs.access(init.dir..name) then
                return call("env -i %s%s %s >/dev/null" %{ init.dir, name, action })
        end