Mirrors
/
aredn
mirror of https://github.com/aredn/aredn.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add files via upload (#174) 

prevent unauthenticated remote code execution as root in the 'traceroute' function
This commit is contained in:
battlehax 2021-11-11 11:32:30 -06:00 committed by GitHub
parent 90d9ac94bc
commit 2c331fdd6f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
files/www/cgi-bin/api
View File

@ -356,8 +356,11 @@ for page, comps in pairs(qsset) do
end end
elseif page=="traceroute" then elseif page=="traceroute" then
for i,tonode in pairs(comps:split(',')) do for i,tonode in pairs(comps:split(',')) do
if tonode~="" then -- Validate that input as ip or hostname inside the mesh
if tonode:match("^[%d%.]+$") or tonode:match("^[%d%a%-%.%_]+$") then
info['pages'][page][tonode]=getTraceroute(tonode) info['pages'][page][tonode]=getTraceroute(tonode)
else
info['pages'][page][tonode]="Invalid input!"
end end
end end
elseif page=="mesh" then elseif page=="mesh" then