From 6f7736c436e1759098102859559f1313ad0669db Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Wed, 14 Nov 2018 13:37:51 +0100 Subject: [PATCH] luci-mod-system: prevent comment injection in mtdbackup endpoint Rework the parameter handling to both prevent a crash when no parameter is given and to prevent root command injection through the mtd index part of the parameter value. Fixes: 9840d310e ("modules: add backup module for mtdblock devices") Signed-off-by: Jo-Philipp Wich --- .../luci-mod-system/luasrc/controller/admin/system.lua | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/modules/luci-mod-system/luasrc/controller/admin/system.lua b/modules/luci-mod-system/luasrc/controller/admin/system.lua index 4e83769ee0..8d9305f4fd 100644 --- a/modules/luci-mod-system/luasrc/controller/admin/system.lua +++ b/modules/luci-mod-system/luasrc/controller/admin/system.lua @@ -319,9 +319,13 @@ function action_backup() end function action_backupmtdblock() - local http = require "luci.http" - local mv = http.formvalue("mtdblockname") - local m, s, n = mv:match('^([^%s]+)/([^%s]+)/([^%s]+)') + local mv = luci.http.formvalue("mtdblockname") or "" + local m, n = mv:match('^([^%s%./"]+)/%d+/(%d+)$') + + if not m and n then + luci.http.status(400, "Bad Request") + return + end local reader = ltn12_popen("dd if=/dev/mtd%s conv=fsync,notrunc 2>/dev/null" % n) -- 2.30.2