Changeset 2414

Show
Ignore:
Timestamp:
09/14/06 00:48:44 (7 years ago)
Author:
qldrob
Message:

Remove remote command vulnerability in backup module - Thanks, Barrie!

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • modules/branches/2.1/backup/page.backup.php

    r1351 r2414  
    2020$type = 'tool'; 
    2121 
     22$dir=isset($_REQUEST['dir'])?$_REQUEST['dir']:''; 
     23$file=isset($_REQUEST['file'])?$_REQUEST['file']:''; 
     24$filetype=isset($_REQUEST['filetype'])?$_REQUEST['filetype']:''; 
     25$ID=isset($_REQUEST['backupid'])?$_REQUEST['backupid']:''; 
     26$name=((isset($_REQUEST['name'])&&empty($_REQUEST['name']))?'backup':$_REQUEST['name']); 
     27 
     28// Santity check passed params 
     29if (strpos($dir, '.') || strpos($dir, '\'') || strpos($dir, '"') || strpos($dir, '\'') || strpos($dir,'\`') || 
     30    strpos($file, '.') || strpos($file, '\'') || strpos($file, '"') || strpos($file, '\'') || strpos($file,'\`') || 
     31    strpos($ID, '.') || strpos($ID, '\'') || strpos($ID, '"') || strpos($ID, '\'') || strpos($ID,'\`') || 
     32    strpos($filetype, '.') || strpos($filetype, '\'') || strpos($filetype, '"') || strpos($filetype, '\'') || strpos($filetype,'\`')) { 
     33  print "You're trying to use an invalid character. Please don't.\n"; 
     34  exit; 
     35} 
     36 
     37 
    2238switch ($action) { 
    2339  case "addednew": 
     
    4460  break; 
    4561  case "edited": 
    46     $ID=$_REQUEST['backupid']; 
    4762    Delete_Backup_set($ID); 
    4863    $ALL_days=$_REQUEST['all_days']; 
     
    5166 
    5267    $backup_schedule=$_REQUEST['backup_schedule']; 
    53     $name=(empty($_REQUEST['name'])?'backup':$_REQUEST['name']); 
    5468    $mins=$_REQUEST['mins']; 
    5569    $hours=$_REQUEST['hours']; 
     
    6882  break; 
    6983  case "delete": 
    70     $ID=$_REQUEST['backupid']; 
    7184    Delete_Backup_set($ID); 
    7285  break; 
    7386  case "deletedataset": 
    74     $dir=$_REQUEST['dir']; 
    7587    exec("/bin/rm -rf '$dir'"); 
    7688  break; 
    7789  case "deletefileset": 
    78     $dir=$_REQUEST['dir']; 
    7990    exec("/bin/rm -rf '$dir'"); 
    8091  break; 
    8192  case "restored": 
    82     $dir=$_REQUEST['dir']; 
    83     $file=$_REQUEST['file']; 
    84     $filetype=$_REQUEST['filetype']; 
    8593    $Message=Restore_Tar_Files($dir, $file, $filetype, $display); 
    8694    needreload(); 
     
    164172  <h2><?php echo _("System Restore")?></h2> 
    165173<?php 
    166   if (!isset($_REQUEST['dir'])) { 
     174  if (empty($dir)) { 
    167175    $dir = "/var/lib/asterisk/backups"; 
    168176    if(!is_dir($dir)) mkdir($dir); 
    169   } else { 
    170     $dir = "$_REQUEST[dir]"; 
    171177  } 
    172   $file = "$_REQUEST[file]"; 
    173178 
    174179  Get_Tar_Files($dir, $display, $file);