cgi-io: require whitelisting upload locations
authorJo-Philipp Wich <jo@mein.io>
Fri, 30 Aug 2019 05:50:43 +0000 (07:50 +0200)
committerJohn Crispin <john@phrozen.org>
Fri, 30 Aug 2019 11:58:50 +0000 (13:58 +0200)
commit22be9a1c0173a232d651059d84145bb6f51d3f67
tree331b2d17488e7174e9dac68032a24164b4c0dc45
parent4f43e9b388496032b20db2c782a33a7898c63eec
cgi-io: require whitelisting upload locations

Introduce further ACL checks to verify that the request-supplied
upload location may be written to. This prevents overwriting things
like /bin/busybox and allows to confine uploads to specific directories.

To setup the required ACLs, the following ubus command may be used
on the command line:

ubus call session grant '{
  "ubus_rpc_session": "d41d8cd98f00b204e9800998ecf8427e",
  "scope": "cgi-io",
  "objects": [
    [ "/etc/certificates/*", "write" ],
    [ "/var/uploads/*", "write" ]
  ]
}'

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
net/cgi-io/Makefile
net/cgi-io/src/main.c