michael/webmin
1
0
Fork 0
mirror of https://github.com/webmin/webmin.git synced 2026-03-11 05:12:03 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Fix init start/stop command injection guard (#1)

Browse Source
This commit is contained in:
Ilia Ross
2026-03-10 17:29:15 +02:00
parent b8481cc1e5
commit b3ec013fc9
1 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
init/start_stop.cgi
View File

@@ -17,7 +17,25 @@ foreach $a ('start', 'restart', 'condrestart', 'reload', 'status', 'stop') {
}
$action ||= 'stop';
&ui_print_header(undef, $text{'ss_'.$action}, "");
$cmd = $in{'file'}." ".$action;
# Only allow known init action files
my %ok_files;
foreach my $a (&list_actions()) {
my ($name) = split(/\s+/, $a);
my $file = $name =~ /^\// ? $name : "$config{'init_dir'}/$name";
$ok_files{$file} = 1;
}
foreach my $rl (&list_runlevels()) {
foreach my $w ("S", "K") {
foreach my $a (&runlevel_actions($rl, $w)) {
my ($order, $name) = split(/\s+/, $a);
my $file = "$config{'init_base'}/rc$rl.d/$w$order$name";
$ok_files{$file} = 1 if (-r $file);
}
}
}
$ok_files{$in{'file'}} || &error($text{'ss_ecannot'});
$cmd = quotemeta($in{'file'})." ".quotemeta($action);
# In case the action was Webmin
$SIG{'TERM'} = 'ignore';