projects / project / luci.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7a37d02) | patch
luci-base: sys: prevent path traversal via sys.init routines
authorJo-Philipp Wich <jo@mein.io>
Wed, 19 Jan 2022 15:32:52 +0000 (16:32 +0100)
committerJo-Philipp Wich <jo@mein.io>
Wed, 19 Jan 2022 15:34:07 +0000 (16:34 +0100)
commit2360ebc2e8973328c7bed8a86f6b68578302bce2
tree96d6c54aa4b8a9bab779cceb262c98c8c1f62eb4tree | snapshot
parent7a37d028823cb02ecc46ebead7fdb1cef8a1d962commit | diff
luci-base: sys: prevent path traversal via sys.init routines

Filter the init script name parameter through fs.basename() to avoid
invoking paths outside of /etc/init.d/.

Reported-by: Graham R <gr348@cam.ac.uk>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 8752701b0d01a81d0bd0a735be733f24ad11ab69)
modules/luci-base/luasrc/sys.lua diff | blob | history
Lua Configuration Interface (mirror)