michael/webmin
1
0
Fork 0
mirror of https://github.com/webmin/webmin.git synced 2026-03-20 16:50:24 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Fix to filter out potentially dangerous characters

Browse Source 
https://github.com/webmin/webmin/issues/1838#issuecomment-2795296531
This commit is contained in:
Ilia Ross
2025-04-11 14:12:33 +03:00
parent 196e3ed6c4
commit d2d16608dc
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
web-lib-funcs.pl
View File

@@ -5255,8 +5255,11 @@ $config_file = "$config_directory/config";
%gconfig = ( );
&read_file_cached($config_file, \%gconfig);
$gconfig{'webprefix'} = '' if (!exists($gconfig{'webprefix'}));
if (!$gconfig{'webprefix'} && $gconfig{'webprefix_remote'}) {
if (!$gconfig{'webprefix'} && $gconfig{'webprefix_remote'} &&
defined($ENV{'HTTP_X_WEBMIN_WEBPREFIX'})) {
$gconfig{'webprefix'} = $ENV{'HTTP_X_WEBMIN_WEBPREFIX'};
# Filter out potentially dangerous characters
$gconfig{'webprefix'} =~ s/[^a-zA-Z0-9\.\-_\/]//g;
}
$null_file = $gconfig{'os_type'} eq 'windows' ? "NUL" : "/dev/null";
$path_separator = $gconfig{'os_type'} eq 'windows' ? ';' : ':';