Don't allow tempdir to be set to /tmp

2026-03-20 08:40:24 +00:00 · 2022-02-21 15:14:01 -08:00
parent 627d86f9e8
commit 778d67f662
2 changed files with 11 additions and 0 deletions
--- a/webmin/change_advanced.cgi
+++ b/webmin/change_advanced.cgi
@@ -12,6 +12,8 @@ if ($in{'tempdir_def'}) {
 	}
 else {
 	-d $in{'tempdir'} || &error($text{'advanced_etemp'});
+	&allowed_temp_dir($in{'tempdir'}) ||
+		&error(&text('advanced_etempallowed', $in{'tempdir'}));
 	$gconfig{'tempdir'} = $in{'tempdir'};
 	}

@@ -32,6 +34,8 @@ for($i=0; defined($tmod = $in{'tmod_'.$i}); $i++) {
 	$tdir = $in{'tdir_'.$i};
 	%minfo = &get_module_info($tmod);
 	-d $tdir || &error(&text('advanced_etdir', $minfo{'desc'}));
+	&allowed_temp_dir($tdir) ||
+		&error(&text('advanced_etempallowed', $in{'tempdir'}));
 	push(@tdirs, [ $tmod, $tdir ]);
 	}
 &save_tempdirs(\%gconfig, \@tdirs);
@@ -121,3 +125,9 @@ else {
 &show_restart_page();
 &webmin_log("advanced");

+
+sub allowed_temp_dir
+{
+my ($t) = @_;
+return $t eq "/tmp" || $t eq "/var" || $t eq "/" ? 0 : 1;
+}
--- a/webmin/lang/en
+++ b/webmin/lang/en
@@ -876,6 +876,7 @@ advanced_eprecache=Missing list of shell patterns to pre-cache
 advanced_err=Failed to save advanced options
 advanced_etemp=Missing or non-existant temporary files directory
 advanced_etdir=Missing or non-existant temporary files directory for $1
+advanced_etempallowed=Temporary files directory $1 is a system directory
 advanced_pass=Make password available to Webmin programs?<br><font size=-1>(Does not work when session authentication is enabled)</font>
 advanced_tempmods=Per-module temporary directories
 advanced_tmod=Module