michael/webmin
1
0
Fork 0
mirror of https://github.com/webmin/webmin.git synced 2026-02-10 17:22:04 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Fix to use quotemeta to prevent shell injection in fetchmail module

Browse Source 
Ref.: 50a2460d-441a-4bc6 (VULN-003)
This commit is contained in:
Ilia Ross
2026-02-10 14:45:20 +02:00
parent 399d7a8651
commit ac9456b368
7 changed files with 21 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
fetchmail/check.cgi
View File

@@ -17,14 +17,14 @@ else {
&ui_print_unbuffered_header($uheader, $text{'check_title'}, "");
$cmd = "$config{'fetchmail_path'} -v -f '$file'";
$cmd = "$config{'fetchmail_path'} -v -f ".quotemeta($file);
if ($config{'mda_command'}) {
$cmd .= " -m '$config{'mda_command'}'";
$cmd .= " -m ".quotemeta($config{'mda_command'});
}
if (defined($in{'idx'})) {
@conf = &parse_config_file($file);
$poll = $conf[$in{'idx'}];
$cmd .= " $poll->{'poll'}";
$cmd .= " ".quotemeta($poll->{'poll'});
}
print &text('check_exec', "<tt>$cmd</tt>"),"<p>\n";

6
fetchmail/edit_cron.cgi
View File

@@ -19,10 +19,10 @@ print &ui_table_start($text{'cron_header'}, "width=100%", 2);
if ($job) {
if ($job->{'command'} =~ /--mail\s+(\S+)/) {
$mail = `echo $1`;
($mail = $1) =~ s/\\(.)/$1/g;
}
elsif ($job->{'command'} =~ /--file\s+(\S+)/) {
$file = `echo $1`;
($file = $1) =~ s/\\(.)/$1/g;
}
elsif ($job->{'command'} =~ /--output/) {
$output = 1;
@@ -31,7 +31,7 @@ if ($job) {
$owner = 1;
}
if ($job->{'command'} =~ /--user\s+(\S+)/) {
$user = $1;
($user = $1) =~ s/\\(.)/$1/g;
}
if ($job->{'command'} =~ /--errors/) {
$errors = 1;

2
fetchmail/save_cron.cgi
View File

@@ -36,7 +36,7 @@ if ($in{'errors'}) {
}
if ($cron_user eq "root" && $fetchmail_config) {
defined(getpwnam($in{'user'})) || &error($text{'cron_euser'});
$cmd .= " --user $in{'user'}";
$cmd .= " --user ".quotemeta($in{'user'});
}
if ($job && $in{'enabled'}) {

4
fetchmail/save_global.cgi
View File

@@ -51,9 +51,9 @@ if ($found) {
else {
&create_poll($poll, $file);
if ($in{'user'} && $< == 0) {
&system_logged("chown $in{'user'} $file");
&system_logged("chown ".quotemeta($in{'user'})." ".quotemeta($file));
}
&system_logged("chmod 700 $file");
&system_logged("chmod 700 ".quotemeta($file));
}
&unlock_file($file);
&webmin_log("global", undef, $config{'config_file'} ? $file : $in{'user'},

4
fetchmail/save_poll.cgi
View File

@@ -101,9 +101,9 @@ else {
&create_poll($poll, $file);
if ($in{'user'} && $< == 0) {
local @uinfo = getpwnam($in{'user'});
&system_logged("chown $uinfo[2]:$uinfo[3] $file");
&system_logged("chown $uinfo[2]:$uinfo[3] ".quotemeta($file));
}
&system_logged("chmod 700 $file");
&system_logged("chmod 700 ".quotemeta($file));
}
else {
&modify_poll($poll, $file);

12
fetchmail/start.cgi
View File

@@ -13,17 +13,21 @@ if ($config{'start_cmd'}) {
}
else {
$in{'interval'} =~ /^\d+$/ || &error($text{'start_einterval'});
$mda = " -m '$config{'mda_command'}'" if ($config{'mda_command'});
$mda = " -m ".quotemeta($config{'mda_command'}) if ($config{'mda_command'});
my $qinterval = quotemeta($in{'interval'});
my $qconfig_file = quotemeta($config{'config_file'});
if ($< == 0) {
if ($config{'daemon_user'} eq 'root') {
$out = &backquote_logged("$config{'fetchmail_path'} -d $in{'interval'} -f $config{'config_file'} $mda 2>&1");
$out = &backquote_logged("$config{'fetchmail_path'} -d $qinterval -f $qconfig_file $mda 2>&1");
}
else {
$out = &backquote_logged("su - '$config{'daemon_user'}' -c '$config{'fetchmail_path'} -d $in{'interval'} -f $config{'config_file'} $mda' 2>&1");
my $qdaemon_user = quotemeta($config{'daemon_user'});
my $daemon_cmd = "$config{'fetchmail_path'} -d $qinterval -f $qconfig_file $mda";
$out = &backquote_logged("su - $qdaemon_user -c ".quotemeta($daemon_cmd)." 2>&1");
}
}
else {
$out = &backquote_logged("$config{'fetchmail_path'} -d $in{'interval'} $mda 2>&1");
$out = &backquote_logged("$config{'fetchmail_path'} -d $qinterval $mda 2>&1");
}
}
if ($?) {

3
fetchmail/stop.cgi
View File

@@ -16,7 +16,8 @@ elsif ($< == 0) {
$out = &backquote_logged("$config{'fetchmail_path'} -q 2>&1");
}
else {
$out = &backquote_logged("su - '$config{'daemon_user'}' -c '$config{'fetchmail_path'} -q' 2>&1");
my $qdaemon_user = quotemeta($config{'daemon_user'});
$out = &backquote_logged("su - $qdaemon_user -c ".quotemeta("$config{'fetchmail_path'} -q")." 2>&1");
}
}
else {