From d2d16608dcb3a0fbde94592762e7c28268ac0ca5 Mon Sep 17 00:00:00 2001
From: Ilia Ross <ilia@ross.gdn>
Date: Fri, 11 Apr 2025 14:12:33 +0300
Subject: [PATCH] Fix to filter out potentially dangerous characters

https://github.com/webmin/webmin/issues/1838#issuecomment-2795296531
---
 web-lib-funcs.pl | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl
index 29dad3119..a30cc5bcd 100755
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -5255,8 +5255,11 @@ $config_file = "$config_directory/config";
 %gconfig = ( );
 &read_file_cached($config_file, \%gconfig);
 $gconfig{'webprefix'} = '' if (!exists($gconfig{'webprefix'}));
-if (!$gconfig{'webprefix'} && $gconfig{'webprefix_remote'}) {
+if (!$gconfig{'webprefix'} && $gconfig{'webprefix_remote'} &&
+    defined($ENV{'HTTP_X_WEBMIN_WEBPREFIX'})) {
 	$gconfig{'webprefix'} = $ENV{'HTTP_X_WEBMIN_WEBPREFIX'};
+	# Filter out potentially dangerous characters
+	$gconfig{'webprefix'} =~ s/[^a-zA-Z0-9\.\-_\/]//g;
 	}
 $null_file = $gconfig{'os_type'} eq 'windows' ? "NUL" : "/dev/null";
 $path_separator = $gconfig{'os_type'} eq 'windows' ? ';' : ':';