check for path transversal

Jeanoo · Oct 27, 2018 · 1758331 · 1758331
1 parent 6446229
commit 1758331
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/changelog.md b/changelog.md
@@ -1,9 +1,11 @@
 
-[v0.64.10](https://github.com/nextcloud/nextcloudpi/commit/f836c87) (2018-10-24) update: update sources
+[v0.64.11](https://github.com/nextcloud/nextcloudpi/commit/89218e5) (2018-10-27) check for path transversal
 
-[v0.64.9](https://github.com/nextcloud/nextcloudpi/commit/b847ad4) (2018-10-23) ncp-config: use simple characters
+[v0.64.10](https://github.com/nextcloud/nextcloudpi/commit/26083e9) (2018-10-24) update: update sources
 
-[v0.64.8 ](https://github.com/nextcloud/nextcloudpi/commit/dceacdf) (2018-10-22) ncp-web: update chinese translations
+[v0.64.9 ](https://github.com/nextcloud/nextcloudpi/commit/54e5c21) (2018-10-23) ncp-config: use simple characters
+
+[v0.64.8 ](https://github.com/nextcloud/nextcloudpi/commit/9d998ae) (2018-10-22) ncp-web: update chinese translations
 
 [v0.64.7 ](https://github.com/nextcloud/nextcloudpi/commit/20a4147) (2018-10-21) ncp-web: update chinese translations
 

diff --git a/ncp.sh b/ncp.sh
@@ -130,7 +130,8 @@ EOF
   cat > /home/www/ncp-launcher.sh <<'EOF'
 #!/bin/bash
 DIR=/usr/local/etc/ncp-config.d
-test -f $DIR/$1 || { echo "File not found"; exit 1; }
+[[ -f $DIR/$1  ]] || { echo "File not found"; exit 1; }
+[[ "$1" =~ ../ ]] && { echo "Forbidden path"; exit 2; }
 source /usr/local/etc/library.sh
 cd $DIR
 launch_script $1

diff --git a/update.sh b/update.sh
@@ -218,6 +218,18 @@ EOF
   [[ "$( ls -l /etc/php/7.2/fpm/conf.d/*-opcache.ini |  wc -l )" -gt 1 ]] && rm "$( ls /etc/php/7.2/fpm/conf.d/*-opcache.ini | tail -1 )"
   [[ "$( ls -l /etc/php/7.2/cli/conf.d/*-opcache.ini |  wc -l )" -gt 1 ]] && rm "$( ls /etc/php/7.2/cli/conf.d/*-opcache.ini | tail -1 )"
 
+  # update launcher
+  cat > /home/www/ncp-launcher.sh <<'EOF'
+#!/bin/bash
+DIR=/usr/local/etc/ncp-config.d
+[[ -f $DIR/$1  ]] || { echo "File not found"; exit 1; }
+[[ "$1" =~ ../ ]] && { echo "Forbidden path"; exit 2; }
+source /usr/local/etc/library.sh
+cd $DIR
+launch_script $1
+EOF
+  chmod 700 /home/www/ncp-launcher.sh
+
 } # end - only live updates
 
 exit 0