From: Jo-Philipp Wich <jo@mein.io>
Date: Wed, 14 Nov 2018 12:37:51 +0000 (+0100)
Subject: luci-mod-system: prevent comment injection in mtdbackup endpoint
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=6f7736c436e1759098102859559f1313ad0669db;p=oweals%2Fluci.git

luci-mod-system: prevent comment injection in mtdbackup endpoint

Rework the parameter handling to both prevent a crash when no parameter is
given and to prevent root command injection through the mtd index part of
the parameter value.

Fixes: 9840d310e ("modules: add backup module for mtdblock devices")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/modules/luci-mod-system/luasrc/controller/admin/system.lua b/modules/luci-mod-system/luasrc/controller/admin/system.lua
index 4e83769ee..8d9305f4f 100644
--- a/modules/luci-mod-system/luasrc/controller/admin/system.lua
+++ b/modules/luci-mod-system/luasrc/controller/admin/system.lua
@@ -319,9 +319,13 @@ function action_backup()
 end
 
 function action_backupmtdblock()
-	local http = require "luci.http"
-	local mv = http.formvalue("mtdblockname")
-	local m, s, n = mv:match('^([^%s]+)/([^%s]+)/([^%s]+)')
+	local mv = luci.http.formvalue("mtdblockname") or ""
+	local m, n = mv:match('^([^%s%./"]+)/%d+/(%d+)$')
+
+	if not m and n then
+		luci.http.status(400, "Bad Request")
+		return
+	end
 
 	local reader = ltn12_popen("dd if=/dev/mtd%s conv=fsync,notrunc 2>/dev/null" % n)