From: Jo-Philipp Wich Date: Wed, 19 Jan 2022 15:32:52 +0000 (+0100) Subject: luci-base: sys: prevent path traversal via sys.init routines X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=cc8ba6e3010ba58fb188eacb93af43fc05f11791;p=project%2Fluci.git luci-base: sys: prevent path traversal via sys.init routines Filter the init script name parameter through fs.basename() to avoid invoking paths outside of /etc/init.d/. Reported-by: Graham R Signed-off-by: Jo-Philipp Wich (cherry picked from commit 8752701b0d01a81d0bd0a735be733f24ad11ab69) --- diff --git a/modules/luci-base/luasrc/sys.lua b/modules/luci-base/luasrc/sys.lua index bf21b5f191..bfbd6f2fe6 100644 --- a/modules/luci-base/luasrc/sys.lua +++ b/modules/luci-base/luasrc/sys.lua @@ -566,6 +566,7 @@ function init.names() end function init.index(name) + name = fs.basename(name) if fs.access(init.dir..name) then return call("env -i sh -c 'source %s%s enabled; exit ${START:-255}' >/dev/null" %{ init.dir, name }) @@ -573,6 +574,7 @@ function init.index(name) end local function init_action(action, name) + name = fs.basename(name) if fs.access(init.dir..name) then return call("env -i %s%s %s >/dev/null" %{ init.dir, name, action }) end