From e60d005ab0e8ac1d055fa02c8a12cad826e4bbcd Mon Sep 17 00:00:00 2001 From: Ilia Ross Date: Sun, 17 May 2026 00:55:15 +0200 Subject: [PATCH] Fix to enforce RPC-only users before module ACL check * Note: Block `rpc=3` users from normal Webmin UI before `init_config` marks module ACLs checked, while explicitly allowing RPC endpoints. https://github.com/webmin/webmin/actions/runs/25971500591/job/76344191751 https://github.com/webmin/webmin/commit/45292ea8159c1e9d1724f3b1d8e779879a158f42 --- fastrpc.cgi | 3 ++- rpc.cgi | 5 ++--- web-lib-funcs.pl | 20 ++++++++++---------- xmlrpc.cgi | 3 ++- 4 files changed, 16 insertions(+), 15 deletions(-) diff --git a/fastrpc.cgi b/fastrpc.cgi index ff25ea399..aaa3af7cd 100755 --- a/fastrpc.cgi +++ b/fastrpc.cgi @@ -4,11 +4,12 @@ # client. From then on, direct TCP connections can be made to this port # to send requests and get replies. -$main::allow_rpc_only = 1; BEGIN { push(@INC, "."); }; use WebminCore; use POSIX; use Socket; + +$main::allow_rpc_only = 1; $force_lang = $default_lang; &init_config(); diff --git a/rpc.cgi b/rpc.cgi index 3f15fb979..569fdfbac 100755 --- a/rpc.cgi +++ b/rpc.cgi @@ -4,13 +4,13 @@ # other webmin servers. State is preserved by starting a process for each # session that listens for requests on a named pipe (and dies after a few # seconds of inactivity) -# access{'rpc'} 0=not allowed 1=allowed 2=allowed if root or admin, 3=allowed +# access{'rpc'} 0=not allowed 1=allowed 2=allowed if root or admin, 3=RPC only -$main::allow_rpc_only = 1; BEGIN { push(@INC, "."); }; use WebminCore; use POSIX; +$main::allow_rpc_only = 1; &init_config(); if ($ENV{'REQUEST_METHOD'} eq 'POST') { local $got; @@ -169,4 +169,3 @@ unlink($fifo1); unlink($fifo2); exit; } - diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl index cb11e08f8..138847899 100755 --- a/web-lib-funcs.pl +++ b/web-lib-funcs.pl @@ -5741,6 +5741,16 @@ if ($module_name) { $module_root_directory = &module_root_directory($module_name); } +if (!$main::allow_rpc_only && + $main::webmin_script_type eq 'web' && + !$main::no_acl_check && + !defined($ENV{'FOREIGN_MODULE_NAME'})) { + # Check if this user is RPC-only + if (&webmin_user_can_rpc() == 2) { + &error($text{'erpconly'}); + } + } + if ($module_name && !$main::no_acl_check && (!defined($ENV{'FOREIGN_MODULE_NAME'}) || defined($ENV{'FOREIGN_MODULE_SEC_CHECK'})) && @@ -5759,16 +5769,6 @@ if ($module_name && !$main::no_acl_check && $main::no_acl_check++; } -if (!$main::allow_rpc_only && - $main::webmin_script_type eq 'web' && - !$main::no_acl_check && - !defined($ENV{'FOREIGN_MODULE_NAME'})) { - # Check if this user is RPC-only - if (&webmin_user_can_rpc() == 2) { - &error($text{'erpconly'}); - } - } - # Check the Referer: header for nasty redirects my @referers = split(/\s+/, $gconfig{'referers'}); my $referer_site; diff --git a/xmlrpc.cgi b/xmlrpc.cgi index 9a14aa0ee..aaebefb35 100755 --- a/xmlrpc.cgi +++ b/xmlrpc.cgi @@ -19,6 +19,8 @@ BEGIN { push(@INC, "."); }; use WebminCore; use POSIX; use Socket; + +$main::allow_rpc_only = 1; $force_lang = $default_lang; $trust_unknown_referers = 2; # Only trust if referer was not set &init_config(); @@ -317,4 +319,3 @@ $xmlerr .= "\n"; return $xmlerr; } -