projects / project / luci.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6f349c9) | patch
luci-base: sys: prevent path traversal via sys.init routines
authorJo-Philipp Wich <[email protected]>
Wed, 19 Jan 2022 15:32:52 +0000 (16:32 +0100)
committerJo-Philipp Wich <[email protected]>
Wed, 19 Jan 2022 15:34:21 +0000 (16:34 +0100)
commitcc8ba6e3010ba58fb188eacb93af43fc05f11791
tree59ae59bda086b8a8834b249848e0e85f1f6c3199tree | snapshot
parent6f349c9142e436d6c7447c0a2ab108803ba431f8commit | diff
luci-base: sys: prevent path traversal via sys.init routines

Filter the init script name parameter through fs.basename() to avoid
invoking paths outside of /etc/init.d/.

Reported-by: Graham R <[email protected]>
Signed-off-by: Jo-Philipp Wich <[email protected]>
(cherry picked from commit 8752701b0d01a81d0bd0a735be733f24ad11ab69)
modules/luci-base/luasrc/sys.lua diff | blob | history
Lua Configuration Interface (mirror)