Bugfix: read_postdata() accepts files when not expected

Correct read_postdata() to only accept files from pages that are specifically designed to accept files. This should be limited to authenticated pages only. Backport SCS-2017-001 Related to Ic40f19a88e543d83a8097abcd4e7254ccea90f49 Conflicts: files/www/cgi-bin/admin
2017-01-24 20:06:43 -08:00 · 2017-01-24 20:06:43 -08:00 · d896c0fafd
parent 38a2835471
commit d896c0fafd
2 changed files with 3 additions and 2 deletions
--- a/files/www/cgi-bin/admin
+++ b/files/www/cgi-bin/admin
@ -57,7 +57,7 @@ sub firmware_list_gen

 $debug = 0;
 $| = 1;
-read_postdata();
+read_postdata({acceptfile => true});
 read_query_string();
 $node = nvram_get("node");
 $tmpdir = "/tmp/web/admin";
--- a/files/www/cgi-bin/perlfunc.pm
+++ b/files/www/cgi-bin/perlfunc.pm
@ -165,6 +165,7 @@ sub fgets
 # (from STDIN in method=post form)
 sub read_postdata
 {
+    my ($pdc) = @_;
    if ( $ENV{REQUEST_METHOD} != "POST" || !$ENV{CONTENT_LENGTH}){ return; };
    my ($line, $parm, $file, $handle, $tmp);
    my $state = "boundary";
@ -187,7 +188,7 @@ sub read_postdata
 	    if(($parm, $file) = $line =~ /^$prefix name="(\w+)"; filename="(.*)"$/)
 	    { # file upload
 		$parms{$parm} = $file;
-		if($file) { $state = "ctype" }
+		if($file && $pdc->{acceptfile}) { $state = "ctype" }
 		else      { $state = "boundary" }
 	    }
 	    elsif(($parm) = $line =~ /^$prefix name="(\w+)"$/)