add new directory-validator 'confdir' to check against disallowed paths (like /, /bin, /home, etc.)
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
@@ -68,6 +68,26 @@ function validateFormFieldString($fieldname, $fielddata, $newfieldvalue)
|
||||
$returnvalue = ($newfieldvalue == makeCorrectDir($newfieldvalue));
|
||||
}
|
||||
}
|
||||
elseif (isset($fielddata['string_type']) && $fielddata['string_type'] == 'confdir') {
|
||||
// check for empty value (it might be allowed)
|
||||
if (trim($newfieldvalue) == '') {
|
||||
$newfieldvalue = '';
|
||||
$returnvalue = 'stringmustntbeempty';
|
||||
} else {
|
||||
// add trailing slash to validate path if needed
|
||||
// refs #331
|
||||
if (substr($newfieldvalue, -1) != '/') {
|
||||
$newfieldvalue.= '/';
|
||||
}
|
||||
// if this is a configuration directory, check for stupidity of admins :p
|
||||
if (checkDisallowedPaths($newfieldvalue) !== true) {
|
||||
$newfieldvalue = '';
|
||||
$returnvalue = 'givendirnotallowed';
|
||||
} else {
|
||||
$returnvalue = ($newfieldvalue == makeCorrectDir($newfieldvalue));
|
||||
}
|
||||
}
|
||||
}
|
||||
elseif (isset($fielddata['string_type']) && $fielddata['string_type'] == 'file') {
|
||||
// check for empty value (it might be allowed)
|
||||
if (trim($newfieldvalue) == '') {
|
||||
|
||||
@@ -17,62 +17,58 @@
|
||||
*
|
||||
*/
|
||||
|
||||
function storeSettingField($fieldname, $fielddata, $newfieldvalue)
|
||||
{
|
||||
if(is_array($fielddata) && isset($fielddata['settinggroup']) && $fielddata['settinggroup'] != '' && isset($fielddata['varname']) && $fielddata['varname'] != '')
|
||||
{
|
||||
function storeSettingField($fieldname, $fielddata, $newfieldvalue) {
|
||||
|
||||
if(saveSetting($fielddata['settinggroup'], $fielddata['varname'], $newfieldvalue) != false)
|
||||
{
|
||||
if (is_array($fielddata)
|
||||
&& isset($fielddata['settinggroup'])
|
||||
&& $fielddata['settinggroup'] != ''
|
||||
&& isset($fielddata['varname'])
|
||||
&& $fielddata['varname'] != ''
|
||||
) {
|
||||
if (saveSetting($fielddata['settinggroup'], $fielddata['varname'], $newfieldvalue) != false) {
|
||||
/*
|
||||
* when fielddata[cronmodule] is set, this means enable/disable a cronjob
|
||||
*/
|
||||
if(isset($fielddata['cronmodule']) && $fielddata['cronmodule'] != '')
|
||||
{
|
||||
if (isset($fielddata['cronmodule'])
|
||||
&& $fielddata['cronmodule'] != ''
|
||||
) {
|
||||
toggleCronStatus($fielddata['cronmodule'], $newfieldvalue);
|
||||
}
|
||||
|
||||
/*
|
||||
* satisfy dependencies
|
||||
*/
|
||||
if(isset($fielddata['dependency']) && is_array($fielddata['dependency']))
|
||||
{
|
||||
if((int)$fielddata['dependency']['onlyif'] == (int)$newfieldvalue)
|
||||
{
|
||||
if (isset($fielddata['dependency'])
|
||||
&& is_array($fielddata['dependency'])
|
||||
) {
|
||||
if ((int)$fielddata['dependency']['onlyif'] == (int)$newfieldvalue) {
|
||||
storeSettingField($fielddata['dependency']['fieldname'], $fielddata['dependency']['fielddata'], $newfieldvalue);
|
||||
}
|
||||
}
|
||||
|
||||
return array($fielddata['settinggroup'] . '.' . $fielddata['varname'] => $newfieldvalue);
|
||||
}
|
||||
else
|
||||
{
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
function storeSettingFieldInsertBindTask($fieldname, $fielddata, $newfieldvalue)
|
||||
{
|
||||
if(is_array($fielddata) && isset($fielddata['settinggroup']) && $fielddata['settinggroup'] != '' && isset($fielddata['varname']) && $fielddata['varname'] != '')
|
||||
{
|
||||
if(saveSetting($fielddata['settinggroup'], $fielddata['varname'], $newfieldvalue) != false)
|
||||
{
|
||||
function storeSettingFieldInsertBindTask($fieldname, $fielddata, $newfieldvalue) {
|
||||
|
||||
if (is_array($fielddata)
|
||||
&& isset($fielddata['settinggroup'])
|
||||
&& $fielddata['settinggroup'] != ''
|
||||
&& isset($fielddata['varname'])
|
||||
&& $fielddata['varname'] != ''
|
||||
) {
|
||||
if (saveSetting($fielddata['settinggroup'], $fielddata['varname'], $newfieldvalue) != false) {
|
||||
return array($fielddata['settinggroup'] . '.' . $fielddata['varname'] => $newfieldvalue);
|
||||
}
|
||||
else
|
||||
{
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
48
lib/functions/validate/function.checkDisallowedPaths.php
Normal file
48
lib/functions/validate/function.checkDisallowedPaths.php
Normal file
@@ -0,0 +1,48 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* This file is part of the Froxlor project.
|
||||
* Copyright (c) 2013 the Froxlor Team (see authors).
|
||||
*
|
||||
* For the full copyright and license information, please view the COPYING
|
||||
* file that was distributed with this source code. You can also view the
|
||||
* COPYING file online at http://files.froxlor.org/misc/COPYING.txt
|
||||
*
|
||||
* @copyright (c) the authors
|
||||
* @author Michael Kaufmann <mkaufmann@nutime.de>
|
||||
* @author Froxlor team <team@froxlor.org> (2010-)
|
||||
* @license GPLv2 http://files.froxlor.org/misc/COPYING.txt
|
||||
* @package Functions
|
||||
*
|
||||
* @since 0.9.30
|
||||
*
|
||||
*/
|
||||
|
||||
/**
|
||||
* checks a directory against disallowed paths which could
|
||||
* lead to a damaged system if you use them
|
||||
*
|
||||
* @param string $fieldname
|
||||
* @param array $fielddata
|
||||
* @param mixed $newfieldvalue
|
||||
*
|
||||
* @return boolean|array
|
||||
*/
|
||||
function checkDisallowedPaths($path = null) {
|
||||
|
||||
/*
|
||||
* disallow base-directories and /
|
||||
*/
|
||||
$disallowed_values = array(
|
||||
"/", "/bin/", "/boot/", "/dev/", "/etc/", "/home/", "/lib/", "/lib32/", "/lib64/",
|
||||
"/opt/", "/proc/", "/root/", "/run/", "/sbin/", "/sys/", "/tmp/", "/usr/", "/var/"
|
||||
);
|
||||
|
||||
$path = makeCorrectDir($path);
|
||||
|
||||
// check if it's a disallowed path
|
||||
if (in_array($path, $disallowed_values)) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
@@ -1971,3 +1971,4 @@ $lng['admin']['selectserveralias_desc'] = 'Chose whether froxlor should create a
|
||||
$lng['domains']['serveraliasoption_wildcard'] = 'Wildcard (*.domain.tld)';
|
||||
$lng['domains']['serveraliasoption_www'] = 'WWW (www.domain.tld)';
|
||||
$lng['domains']['serveraliasoption_none'] = 'No alias';
|
||||
$lng['error']['givendirnotallowed'] = 'The given directory in field %s is not allowed.';
|
||||
|
||||
@@ -1691,3 +1691,4 @@ $lng['admin']['selectserveralias_desc'] = 'Wählen Sie hier, ob für diese Domai
|
||||
$lng['domains']['serveraliasoption_wildcard'] = 'Wildcard (*.domain.tld)';
|
||||
$lng['domains']['serveraliasoption_www'] = 'WWW (www.domain.tld)';
|
||||
$lng['domains']['serveraliasoption_none'] = 'Kein alias';
|
||||
$lng['error']['givendirnotallowed'] = 'Das angegebene Verzeichnis im Feld %s ist nicht erlaubt.';
|
||||
|
||||
Reference in New Issue
Block a user