only allow pre-defined directories (avoid regex)
Just to be more secure.
This commit is contained in:
Dietmar Maurer
@ -265,16 +265,17 @@ sub handle_request {
|
||||
}
|
||||
|
||||
if ($self->{dirs} && ($method eq 'GET')) {
|
||||
foreach my $dir (keys %{$self->{dirs}}) {
|
||||
# we only allow simple names
|
||||
if ($uri =~ m/^$dir([a-zA-Z0-9\-\_\.\/]+)$/) {
|
||||
my $reluri = $1;
|
||||
$reluri =~ s/\.\./XX/g; # do not allow '..'
|
||||
my $filename = "$self->{dirs}->{$dir}$reluri";
|
||||
# we only allow simple names
|
||||
if ($uri =~ m!^(/\S+/)([a-zA-Z0-9\-\_\.]+)$!) {
|
||||
my ($subdir, $file) = ($1, $2);
|
||||
if (my $dir = $self->{dirs}->{$subdir}) {
|
||||
my $filename = "$dir$file";
|
||||
my $fh = IO::File->new($filename) ||
|
||||
die "unable to open file '$filename' - $!\n";
|
||||
send_file_start($self, $reqstate, $filename);
|
||||
return;
|
||||
} else {
|
||||
print "FAILED\n"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
29
bin/pveproxy
29
bin/pveproxy
@ -44,11 +44,33 @@ $0 = "pveproxy";
|
||||
|
||||
PVE::APIDaemon::enable_debug() if $opt_debug;
|
||||
|
||||
sub add_dirs {
|
||||
my ($result_hash, $alias, $subdir) = @_;
|
||||
|
||||
$result_hash->{$alias} = $subdir;
|
||||
|
||||
my $wanted = sub {
|
||||
my $dir = $File::Find::dir;
|
||||
if ($dir =~m!^$subdir(.*)$!) {
|
||||
my $name = "$alias$1/";
|
||||
$result_hash->{$name} = "$dir/";
|
||||
}
|
||||
};
|
||||
|
||||
find({wanted => $wanted, follow => 0, no_chdir => 1}, $subdir);
|
||||
}
|
||||
|
||||
my $cpid;
|
||||
my $daemon;
|
||||
eval {
|
||||
|
||||
my $dirs = {};
|
||||
|
||||
add_dirs($dirs, '/pve2/ext4/', '/usr/share/pve-manager/ext4/');
|
||||
add_dirs($dirs, '/pve2/images/' => '/usr/share/pve-manager/images/');
|
||||
add_dirs($dirs, '/pve2/css/' => '/usr/share/pve-manager/css/');
|
||||
add_dirs($dirs, '/vncterm/' => '/usr/share/vncterm/');
|
||||
|
||||
$daemon = PVE::APIDaemon->new(
|
||||
port => 8006,
|
||||
keep_alive => 100,
|
||||
@ -69,12 +91,7 @@ eval {
|
||||
file => '/usr/share/pve-manager/images/favicon.ico',
|
||||
},
|
||||
},
|
||||
dirs => {
|
||||
'/pve2/images/' => '/usr/share/pve-manager/images/',
|
||||
'/pve2/css/' => '/usr/share/pve-manager/css/',
|
||||
'/pve2/ext4/' => '/usr/share/pve-manager/ext4/',
|
||||
'/vncterm/' => '/usr/share/vncterm/',
|
||||
},
|
||||
dirs => $dirs,
|
||||
);
|
||||
};
|
||||
|
||||
|
||||
Reference in New Issue
Block a user