diff options
| author | Jo-Philipp Wich <jo@mein.io> | 2021-10-08 20:22:58 +0200 |
|---|---|---|
| committer | Jo-Philipp Wich <jo@mein.io> | 2021-10-08 20:27:13 +0200 |
| commit | 44445a8097d05dbcc807c95c5b2c016f1a49a350 (patch) | |
| tree | b5c3f4aff6f62b8b34dc635e08f5980cf29f3c3e /protocols/luci-proto-wireguard | |
| parent | 21af8a34fdcfd78dc125c7cf9a6372925c074477 (diff) | |
luci-proto-wireguard: fix potential shell injection vulnerabilities
The `luci.wireguard.generateQrCode` UBUS method allows injecting
arbitrary shell code by not sanitizing the `privkey` and `allowed_ips`
arguments before concatenating them into shell command expressions.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'protocols/luci-proto-wireguard')
| -rwxr-xr-x | protocols/luci-proto-wireguard/root/usr/libexec/rpcd/luci.wireguard | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/protocols/luci-proto-wireguard/root/usr/libexec/rpcd/luci.wireguard b/protocols/luci-proto-wireguard/root/usr/libexec/rpcd/luci.wireguard index ce21570cce..681e98e5c4 100755 --- a/protocols/luci-proto-wireguard/root/usr/libexec/rpcd/luci.wireguard +++ b/protocols/luci-proto-wireguard/root/usr/libexec/rpcd/luci.wireguard @@ -1,6 +1,7 @@ #!/usr/bin/env lua local json = require "luci.jsonc" +local util = require "luci.util" local sys = require "luci.sys" local io = require "io" local uci = require "uci" @@ -10,7 +11,7 @@ local methods = { generateKeyPair = { call = function() local prv = sys.exec("wg genkey 2>/dev/null"):sub(1, -2) - local pub = sys.exec("echo '" .. prv .. "' | wg pubkey 2>/dev/null"):sub(1, -2) + local pub = sys.exec("echo %s | wg pubkey 2>/dev/null" % util.shellquote(prv)):sub(1, -2) return {keys = {priv = prv, pub = pub}} end @@ -25,7 +26,7 @@ local methods = { local listen_port = args.listen_port local allowed_ips = args.allowed_ips - local pubkey = sys.exec("echo '" .. args.privkey .. "' | wg pubkey 2>/dev/null"):sub(1, -2) + local pubkey = sys.exec("echo %s | wg pubkey 2>/dev/null" % util.shellquote(args.privkey)):sub(1, -2) local client_privkey = sys.exec("wg genkey 2>/dev/null"):sub(1, -2) local iface_qr = { @@ -48,7 +49,7 @@ local methods = { end qr_enc = table.concat(iface_qr, "\n") .. "\n\n" .. table.concat(peer_qr, "\n") - qr_code = sys.exec("/usr/bin/qrencode --inline --8bit --type=SVG --output=- '" .. qr_enc .. "' 2>/dev/null") + qr_code = sys.exec("/usr/bin/qrencode --inline --8bit --type=SVG --output=- %s 2>/dev/null" % util.shellquote(qr_enc)) end return {qr_code = qr_code} |