From 305b25486af424d89ccfc2fd7607579f90735602 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Wed, 24 Nov 2010 05:05:39 +0000 Subject: [PATCH] applications/luci-wol: fix XSS --- applications/luci-wol/luasrc/model/cbi/wol.lua | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/applications/luci-wol/luasrc/model/cbi/wol.lua b/applications/luci-wol/luasrc/model/cbi/wol.lua index ac73919e2..30467f430 100644 --- a/applications/luci-wol/luasrc/model/cbi/wol.lua +++ b/applications/luci-wol/luasrc/model/cbi/wol.lua @@ -48,7 +48,7 @@ if has_ewk then end iface:value("", translate("Broadcast on all interfaces")) - + for _, e in ipairs(sys.net.devices()) do if e ~= "lo" then iface:value(e) end end @@ -86,7 +86,7 @@ end function host.write(self, s, val) local host = luci.http.formvalue("cbid.wol.1.mac") - if host and #host > 0 then + if host and #host > 0 and host:match("^[a-fA-F0-9:]+$") then local cmd local util = luci.http.formvalue("cbid.wol.1.binary") or ( has_ewk and "/usr/bin/etherwake" or "/usr/bin/wol" @@ -127,4 +127,3 @@ end return m - -- 2.25.1