luci-base: sys: prevent path traversal via sys.init routines

Filter the init script name parameter through fs.basename() to avoid invoking paths outside of /etc/init.d/. Reported-by: Graham R <gr348@cam.ac.uk> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2022-01-19 16:32:52 +0100
committer: Jo-Philipp Wich <jo@mein.io> 2022-01-19 16:32:52 +0100
commit: 8752701b0d01a81d0bd0a735be733f24ad11ab69 (patch)
tree: 48741b61bb0a70dc78bdc815df7a67f1f14aeea1
parent: 35df2adaf8a2c5b4fa61f58049f409ca087c0547 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/modules/luci-base/luasrc/sys.lua b/modules/luci-base/luasrc/sys.lua
index aa00766fb8..af345a16d5 100644
--- a/modules/luci-base/luasrc/sys.lua
+++ b/modules/luci-base/luasrc/sys.lua
@@ -566,6 +566,7 @@ function init.names()
 end
 
 function init.index(name)
+	name = fs.basename(name)
 	if fs.access(init.dir..name) then
 		return call("env -i sh -c 'source %s%s enabled; exit ${START:-255}' >/dev/null"
 			%{ init.dir, name })
@@ -573,6 +574,7 @@ function init.index(name)
 end
 
 local function init_action(action, name)
+	name = fs.basename(name)
 	if fs.access(init.dir..name) then
 		return call("env -i %s%s %s >/dev/null" %{ init.dir, name, action })
 	end
author	Jo-Philipp Wich <jo@mein.io>	2022-01-19 16:32:52 +0100
committer	Jo-Philipp Wich <jo@mein.io>	2022-01-19 16:32:52 +0100
commit	8752701b0d01a81d0bd0a735be733f24ad11ab69 (patch)
tree	48741b61bb0a70dc78bdc815df7a67f1f14aeea1
parent	35df2adaf8a2c5b4fa61f58049f409ca087c0547 (diff)