maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

add new directory-validator 'confdir' to check against disallowed paths (like /, /bin, /home, etc.)

Browse Source 
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
2013-10-16 08:54:39 +02:00
parent 64e646b526
commit 6b93b973e2
5 changed files with 100 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
lib/functions/formfields/string/function.validateFormFieldString.php
View File

@@ -68,6 +68,26 @@ function validateFormFieldString($fieldname, $fielddata, $newfieldvalue)
$returnvalue = ($newfieldvalue == makeCorrectDir($newfieldvalue)); $returnvalue = ($newfieldvalue == makeCorrectDir($newfieldvalue));
} }
} }
elseif (isset($fielddata['string_type']) && $fielddata['string_type'] == 'confdir') {
// check for empty value (it might be allowed)
if (trim($newfieldvalue) == '') {
$newfieldvalue = '';
$returnvalue = 'stringmustntbeempty';
} else {
// add trailing slash to validate path if needed
// refs #331
if (substr($newfieldvalue, -1) != '/') {
$newfieldvalue.= '/';
}
// if this is a configuration directory, check for stupidity of admins :p
if (checkDisallowedPaths($newfieldvalue) !== true) {
$newfieldvalue = '';
$returnvalue = 'givendirnotallowed';
} else {
$returnvalue = ($newfieldvalue == makeCorrectDir($newfieldvalue));
}
}
}
elseif (isset($fielddata['string_type']) && $fielddata['string_type'] == 'file') { elseif (isset($fielddata['string_type']) && $fielddata['string_type'] == 'file') {
// check for empty value (it might be allowed) // check for empty value (it might be allowed)
if (trim($newfieldvalue) == '') { if (trim($newfieldvalue) == '') {

62
lib/functions/settings/function.storeSettingField.php
View File

@@ -17,62 +17,58 @@
* *
*/ */
function storeSettingField($fieldname, $fielddata, $newfieldvalue) function storeSettingField($fieldname, $fielddata, $newfieldvalue) {
{
if(is_array($fielddata) && isset($fielddata['settinggroup']) && $fielddata['settinggroup'] != '' && isset($fielddata['varname']) && $fielddata['varname'] != '')
{
if(saveSetting($fielddata['settinggroup'], $fielddata['varname'], $newfieldvalue) != false) if (is_array($fielddata)
{ && isset($fielddata['settinggroup'])
&& $fielddata['settinggroup'] != ''
&& isset($fielddata['varname'])
&& $fielddata['varname'] != ''
) {
if (saveSetting($fielddata['settinggroup'], $fielddata['varname'], $newfieldvalue) != false) {
/* /*
* when fielddata[cronmodule] is set, this means enable/disable a cronjob * when fielddata[cronmodule] is set, this means enable/disable a cronjob
*/ */
if(isset($fielddata['cronmodule']) && $fielddata['cronmodule'] != '') if (isset($fielddata['cronmodule'])
{ && $fielddata['cronmodule'] != ''
) {
toggleCronStatus($fielddata['cronmodule'], $newfieldvalue); toggleCronStatus($fielddata['cronmodule'], $newfieldvalue);
} }
/* /*
* satisfy dependencies * satisfy dependencies
*/ */
if(isset($fielddata['dependency']) && is_array($fielddata['dependency'])) if (isset($fielddata['dependency'])
{ && is_array($fielddata['dependency'])
if((int)$fielddata['dependency']['onlyif'] == (int)$newfieldvalue) ) {
{ if ((int)$fielddata['dependency']['onlyif'] == (int)$newfieldvalue) {
storeSettingField($fielddata['dependency']['fieldname'], $fielddata['dependency']['fielddata'], $newfieldvalue); storeSettingField($fielddata['dependency']['fieldname'], $fielddata['dependency']['fielddata'], $newfieldvalue);
} }
} }
return array($fielddata['settinggroup'] . '.' . $fielddata['varname'] => $newfieldvalue); return array($fielddata['settinggroup'] . '.' . $fielddata['varname'] => $newfieldvalue);
} } else {
else
{
return false; return false;
} }
} } else {
else
{
return false; return false;
} }
} }
function storeSettingFieldInsertBindTask($fieldname, $fielddata, $newfieldvalue) function storeSettingFieldInsertBindTask($fieldname, $fielddata, $newfieldvalue) {
{
if(is_array($fielddata) && isset($fielddata['settinggroup']) && $fielddata['settinggroup'] != '' && isset($fielddata['varname']) && $fielddata['varname'] != '') if (is_array($fielddata)
{ && isset($fielddata['settinggroup'])
if(saveSetting($fielddata['settinggroup'], $fielddata['varname'], $newfieldvalue) != false) && $fielddata['settinggroup'] != ''
{ && isset($fielddata['varname'])
&& $fielddata['varname'] != ''
) {
if (saveSetting($fielddata['settinggroup'], $fielddata['varname'], $newfieldvalue) != false) {
return array($fielddata['settinggroup'] . '.' . $fielddata['varname'] => $newfieldvalue); return array($fielddata['settinggroup'] . '.' . $fielddata['varname'] => $newfieldvalue);
} else {
return false;
} }
else } else {
{
return false; return false;
} }
} }
else
{
return false;
}
}
?>

48
lib/functions/validate/function.checkDisallowedPaths.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
/**
* This file is part of the Froxlor project.
* Copyright (c) 2013 the Froxlor Team (see authors).
*
* For the full copyright and license information, please view the COPYING
* file that was distributed with this source code. You can also view the
* COPYING file online at http://files.froxlor.org/misc/COPYING.txt
*
* @copyright (c) the authors
* @author Michael Kaufmann <mkaufmann@nutime.de>
* @author Froxlor team <team@froxlor.org> (2010-)
* @license GPLv2 http://files.froxlor.org/misc/COPYING.txt
* @package Functions
*
* @since 0.9.30
*
*/
/**
* checks a directory against disallowed paths which could
* lead to a damaged system if you use them
*
* @param string $fieldname
* @param array $fielddata
* @param mixed $newfieldvalue
*
* @return boolean|array
*/
function checkDisallowedPaths($path = null) {
/*
* disallow base-directories and /
*/
$disallowed_values = array(
"/", "/bin/", "/boot/", "/dev/", "/etc/", "/home/", "/lib/", "/lib32/", "/lib64/",
"/opt/", "/proc/", "/root/", "/run/", "/sbin/", "/sys/", "/tmp/", "/usr/", "/var/"
);
$path = makeCorrectDir($path);
// check if it's a disallowed path
if (in_array($path, $disallowed_values)) {
return false;
}
return true;
}

1
lng/english.lng.php
View File

@@ -1971,3 +1971,4 @@ $lng['admin']['selectserveralias_desc'] = 'Chose whether froxlor should create a
$lng['domains']['serveraliasoption_wildcard'] = 'Wildcard (*.domain.tld)'; $lng['domains']['serveraliasoption_wildcard'] = 'Wildcard (*.domain.tld)';
$lng['domains']['serveraliasoption_www'] = 'WWW (www.domain.tld)'; $lng['domains']['serveraliasoption_www'] = 'WWW (www.domain.tld)';
$lng['domains']['serveraliasoption_none'] = 'No alias'; $lng['domains']['serveraliasoption_none'] = 'No alias';
$lng['error']['givendirnotallowed'] = 'The given directory in field %s is not allowed.';

1
lng/german.lng.php
View File

@@ -1691,3 +1691,4 @@ $lng['admin']['selectserveralias_desc'] = 'Wählen Sie hier, ob für diese Domai
$lng['domains']['serveraliasoption_wildcard'] = 'Wildcard (*.domain.tld)'; $lng['domains']['serveraliasoption_wildcard'] = 'Wildcard (*.domain.tld)';
$lng['domains']['serveraliasoption_www'] = 'WWW (www.domain.tld)'; $lng['domains']['serveraliasoption_www'] = 'WWW (www.domain.tld)';
$lng['domains']['serveraliasoption_none'] = 'Kein alias'; $lng['domains']['serveraliasoption_none'] = 'Kein alias';
$lng['error']['givendirnotallowed'] = 'Das angegebene Verzeichnis im Feld %s ist nicht erlaubt.';