Bugfix: read_postdata() accepts files when not expected

Correct read_postdata() to only accept files from pages that are specifically designed to accept files. This should be limited to authenticated pages only. SCS-2017-001 Change-Id: Ic40f19a88e543d83a8097abcd4e7254ccea90f49
2017-01-24 20:06:43 -08:00 · 2017-01-24 20:06:43 -08:00 · 24a3243215
parent 8e08363414
commit 24a3243215
2 changed files with 3 additions and 2 deletions
--- a/files/www/cgi-bin/admin
+++ b/files/www/cgi-bin/admin
@ -57,7 +57,7 @@ sub firmware_list_gen

 $debug = 0;
 $| = 1;
-read_postdata();
+read_postdata({acceptfile => true});
 reboot_page("/cgi-bin/status") if $parms{button_reboot};
 read_query_string();
 $node = nvram_get("node");
--- a/files/www/cgi-bin/perlfunc.pm
+++ b/files/www/cgi-bin/perlfunc.pm
@ -166,6 +166,7 @@ sub fgets
 # (from STDIN in method=post form)
 sub read_postdata
 {
+    my ($pdc) = @_;
    if ( $ENV{REQUEST_METHOD} != "POST" || !$ENV{CONTENT_LENGTH}){ return; };
    my ($line, $parm, $file, $handle, $tmp);
    my $state = "boundary";
@ -188,7 +189,7 @@ sub read_postdata
 	    if(($parm, $file) = $line =~ /^$prefix name="(\w+)"; filename="(.*)"$/)
 	    { # file upload
 		$parms{$parm} = $file;
-		if($file) { $state = "ctype" }
+		if($file && $pdc->{acceptfile}) { $state = "ctype" }
 		else      { $state = "boundary" }
 	    }
 	    elsif(($parm) = $line =~ /^$prefix name="(\w+)"$/)