luci-mod-system: prevent comment injection in mtdbackup endpoint

Rework the parameter handling to both prevent a crash when no parameter is given and to prevent root command injection through the mtd index part of the parameter value. Fixes: 9840d310e ("modules: add backup module for mtdblock devices") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2018-11-14 13:37:51 +0100
committer: Jo-Philipp Wich <jo@mein.io> 2018-11-14 20:46:04 +0100
commit: 6f7736c436e1759098102859559f1313ad0669db (patch)
tree: e75ebe417e764c0b9220c2e76719f37e486393d5 /modules
parent: aa2e0e2488f52b2b0acd1746ee13c7f51377f757 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/modules/luci-mod-system/luasrc/controller/admin/system.lua b/modules/luci-mod-system/luasrc/controller/admin/system.lua
index 4e83769ee..8d9305f4f 100644
--- a/modules/luci-mod-system/luasrc/controller/admin/system.lua
+++ b/modules/luci-mod-system/luasrc/controller/admin/system.lua
@@ -319,9 +319,13 @@ function action_backup()
 end
 
 function action_backupmtdblock()
-	local http = require "luci.http"
-	local mv = http.formvalue("mtdblockname")
-	local m, s, n = mv:match('^([^%s]+)/([^%s]+)/([^%s]+)')
+	local mv = luci.http.formvalue("mtdblockname") or ""
+	local m, n = mv:match('^([^%s%./"]+)/%d+/(%d+)$')
+
+	if not m and n then
+		luci.http.status(400, "Bad Request")
+		return
+	end
 
 	local reader = ltn12_popen("dd if=/dev/mtd%s conv=fsync,notrunc 2>/dev/null" % n)
author	Jo-Philipp Wich <jo@mein.io>	2018-11-14 13:37:51 +0100
committer	Jo-Philipp Wich <jo@mein.io>	2018-11-14 20:46:04 +0100
commit	6f7736c436e1759098102859559f1313ad0669db (patch)
tree	e75ebe417e764c0b9220c2e76719f37e486393d5 /modules
parent	aa2e0e2488f52b2b0acd1746ee13c7f51377f757 (diff)