Add files via upload (#174)

prevent unauthenticated remote code execution as root in the 'traceroute' function
2021-11-11 11:32:30 -06:00 · 2021-11-11 11:32:30 -06:00 · 2c331fdd6f
parent 90d9ac94bc
commit 2c331fdd6f
1 changed files with 4 additions and 1 deletions
--- a/files/www/cgi-bin/api
+++ b/files/www/cgi-bin/api
@ -356,8 +356,11 @@ for page, comps in pairs(qsset) do
 		end
 	elseif page=="traceroute" then
 		for i,tonode in pairs(comps:split(',')) do
-			if tonode~="" then
+			-- Validate that input as ip or hostname inside the mesh
+			if tonode:match("^[%d%.]+$") or tonode:match("^[%d%a%-%.%_]+$") then
 				info['pages'][page][tonode]=getTraceroute(tonode)
+			else
+				info['pages'][page][tonode]="Invalid input!"
 			end
 		end
 	elseif page=="mesh" then