mirror of
https://github.com/webmin/webmin.git
synced 2026-05-16 20:00:24 +01:00
04ae776e6a
Some checks failed
webmin.dev: webmin/webmin / build (push) Has been cancelled
* Note: Validate File Manager action name/file parameters as checked paths under the current directory and `allowed_paths` before operations, blocking traversal and symlink escapes.
51 lines
839 B
Perl
Executable File
51 lines
839 B
Perl
Executable File
#!/usr/local/bin/perl
|
|
|
|
require './filemin-lib.pl';
|
|
|
|
&ReadParse();
|
|
|
|
get_paths();
|
|
|
|
my $recursive;
|
|
if ($in{'recursive'} eq 'true') {
|
|
$recursive = '-R';
|
|
}
|
|
else {
|
|
$recursive = '';
|
|
}
|
|
|
|
my @errors;
|
|
if (!$in{'label'}) {
|
|
push @errors, "$text{'attr_label_error'}";
|
|
}
|
|
|
|
my $label = quotemeta("$in{'label'}");
|
|
$label =~ s/\\-/-/g;
|
|
$label =~ s/\\+//g;
|
|
$label =~ tr/a-zA-Z\-\+ //dc;
|
|
|
|
if (scalar(@errors) > 0) {
|
|
print_errors(@errors);
|
|
}
|
|
else {
|
|
foreach my $file (split(/\0/, $in{'name'})) {
|
|
my $full = &validate_filename_path($file);
|
|
if (system_logged(
|
|
"chattr $recursive ".$label.
|
|
" ".quotemeta($full)
|
|
) != 0) {
|
|
push @errors,
|
|
(html_escape($file).
|
|
" - $text{'attr_label_error_proc'}: $?");
|
|
}
|
|
}
|
|
|
|
if (scalar(@errors) > 0) {
|
|
print_errors(@errors);
|
|
}
|
|
else {
|
|
&redirect(
|
|
"index.cgi?path=".&urlize($path));
|
|
}
|
|
}
|