projects / project / luci.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 34e0d65) | patch
luci-app-ddns: fix multiple authenticated RCEs
authorJo-Philipp Wich <jo@mein.io>
Wed, 17 Feb 2021 17:18:14 +0000 (18:18 +0100)
committerJo-Philipp Wich <jo@mein.io>
Wed, 17 Feb 2021 17:18:14 +0000 (18:18 +0100)
commit9df7ea4d66644df69fcea18b36bc465912ffccbd
treebee02a638ed803203009e0b3ba68c140539a370dtree | snapshot
parent34e0d656a41befd9720be35c4831c9f136a67c59commit | diff
luci-app-ddns: fix multiple authenticated RCEs

The ddns detail model passes unsanitized values directly to sys.call() in
various places, which allows injecting arbitrary commands through a number
of fields.

Prevent that issue by quoting the values used in command invocations.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua diff | blob | history
Lua Configuration Interface (mirror)