fix possible privilege escalation from customer to root when specifying custom error documents in directory-options
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
@@ -157,16 +157,15 @@ class DirOptions extends ApiCommand implements ResourceEntity
|
||||
* this functions validates a given value as ErrorDocument
|
||||
* refs #267
|
||||
*
|
||||
* @param
|
||||
* string error-document-string
|
||||
* @param string $errdoc
|
||||
* @param bool $throw_exception
|
||||
*
|
||||
* @return string error-document-string
|
||||
*
|
||||
*/
|
||||
private function correctErrorDocument($errdoc = null, $throw_exception = false)
|
||||
private function correctErrorDocument(string $errdoc, $throw_exception = false)
|
||||
{
|
||||
if ($errdoc !== null && $errdoc != '') {
|
||||
if (trim($errdoc) != '') {
|
||||
// not a URL
|
||||
if ((strtoupper(substr($errdoc, 0, 5)) != 'HTTP:' && strtoupper(substr($errdoc, 0, 6)) != 'HTTPS:') || !Validate::validateUrl($errdoc)) {
|
||||
// a file
|
||||
@@ -176,14 +175,14 @@ class DirOptions extends ApiCommand implements ResourceEntity
|
||||
if (!substr($errdoc, 0, 1) == '/') {
|
||||
$errdoc = '/' . $errdoc;
|
||||
}
|
||||
} else {
|
||||
} elseif (preg_match('/^"([^\r\n\t\f\0"]+)"$/', $errdoc)) {
|
||||
// a string (check for ending ")
|
||||
// string won't work for lighty
|
||||
if (Settings::Get('system.webserver') == 'lighttpd') {
|
||||
Response::standardError('stringerrordocumentnotvalidforlighty', '', $throw_exception);
|
||||
} elseif (substr($errdoc, -1) != '"') {
|
||||
$errdoc .= '"';
|
||||
}
|
||||
} else {
|
||||
Response::standardError('invaliderrordocumentvalue', '', $throw_exception);
|
||||
}
|
||||
} else {
|
||||
if (Settings::Get('system.webserver') == 'lighttpd') {
|
||||
@@ -191,7 +190,7 @@ class DirOptions extends ApiCommand implements ResourceEntity
|
||||
}
|
||||
}
|
||||
}
|
||||
return $errdoc;
|
||||
return trim($errdoc);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -147,9 +147,9 @@ class FileDir
|
||||
*/
|
||||
public static function makeSecurePath($path)
|
||||
{
|
||||
// check for bad characters, some are allowed with escaping
|
||||
// check for bad characters, some are allowed with escaping,
|
||||
// but we generally don't want them in our directory-names,
|
||||
// thx to aaronmueller for this snipped
|
||||
// thx to aaronmueller for this snippet
|
||||
$badchars = [
|
||||
':',
|
||||
';',
|
||||
@@ -161,7 +161,11 @@ class FileDir
|
||||
'$',
|
||||
'~',
|
||||
'?',
|
||||
"\0"
|
||||
"\0",
|
||||
"\n",
|
||||
"\r",
|
||||
"\t",
|
||||
"\f"
|
||||
];
|
||||
foreach ($badchars as $bc) {
|
||||
$path = str_replace($bc, "", $path);
|
||||
@@ -606,7 +610,7 @@ class FileDir
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
*
|
||||
* @return array|false
|
||||
*/
|
||||
public static function getFilesystemQuota()
|
||||
|
||||
Reference in New Issue
Block a user