Fix IPsec up command injection via conn name (#3)

2026-03-11 05:12:03 +00:00 · 2026-03-10 17:29:16 +02:00
parent 2c211e557e
commit 1a0aa44dba
1 changed files with 8 additions and 1 deletions
--- a/ipsec/up.cgi
+++ b/ipsec/up.cgi
@@ -8,8 +8,15 @@ $| = 1;
 $theme_no_table++;
 &ui_print_header(undef, $text{'up_title'}, "");

+# Validate connection name against configured connections
+my @conf = &get_config();
+my %ok_conns = map { $_->{'value'}, 1 }
+	       grep { $_->{'name'} eq 'conn' && $_->{'value'} ne '%default' }
+	       @conf;
+$ok_conns{$in{'conn'}} || &error($text{'save_ename'});
+
 # Try to connect
-$cmd = "$config{'ipsec'} auto --up '$in{'conn'}'";
+$cmd = "$config{'ipsec'} auto --up ".quotemeta($in{'conn'});
 print "<b>",&text('up_cmd', "<tt>$cmd</tt>"),"</b>\n";
 print "<pre>";
 &foreign_require("proc", "proc-lib.pl");