[geeklog-hg] geeklog: Fixed a possible OS command injection with database backup
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Tue Nov 24 09:33:34 EST 2015
changeset 9651:c54be0e63a71
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/c54be0e63a71
user: Kenji ITO <mystralkk at gmail.com>
date: Tue Nov 24 23:33:09 2015 +0900
description:
Fixed a possible OS command injection with database backup
diffstat:
public_html/admin/database.php | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
diffs (42 lines):
diff -r f76eff2c826f -r c54be0e63a71 public_html/admin/database.php
--- a/public_html/admin/database.php Wed Nov 11 17:15:24 2015 +0100
+++ b/public_html/admin/database.php Tue Nov 24 23:33:09 2015 +0900
@@ -248,7 +248,11 @@
$curdatetime = date('Y_m_d_H_i_s');
$filename_mask = "geeklog_db_backup_{$curdatetime}.sql";
}
+
+ $filename_mask = basename($filename_mask);
+ $filename_mask = COM_sanitizeFilename($filename_mask, true);
$backupfile = $_CONF['backup_path'] . $filename_mask;
+
$command = $_DB_mysqldump_path . " -h$_DB_host -u$_DB_user";
if (!empty($_DB_pass)) {
$command .= " -p'$_DB_pass'";
@@ -256,7 +260,7 @@
if (!empty($_CONF['mysqldump_options'])) {
$command .= ' ' . $_CONF['mysqldump_options'];
}
- $command .= " $_DB_name > \"$backupfile\"";
+ $command .= " $_DB_name > " . escapeshellarg($backupfile);
$log_command = $command;
if (!empty($_DB_pass)) {
@@ -335,6 +339,7 @@
$failed = 0;
foreach ($_POST['delitem'] as $delfile) {
+ $delfile = basename($delfile);
$file = COM_sanitizeFilename($delfile, true);
if (! empty($file)) {
$files++;
@@ -711,7 +716,8 @@
if ($mode == 'download') {
$file = '';
if (isset($_GET['file'])) {
- $file = COM_sanitizeFilename($_GET['file'], true);
+ $file = basename($_GET['file']);
+ $file = COM_sanitizeFilename($file, true);
if (! file_exists($_CONF['backup_path'] . $file)) {
$file = '';
}
More information about the geeklog-cvs
mailing list