summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2013-09-13 14:44:57 +0200
committerJo-Philipp Wich <jow@openwrt.org>2013-09-13 14:44:57 +0200
commit3864c083a42e713e291bd954b2fa6fe2b85e930a (patch)
treeda9af45523c833b21163a70547b7d44df0049510
parenta7b7badd525143971464d7d75c6e0faca1c12e96 (diff)
ubus: deny requests with a "ubus_rpc_session" toplevel attribute to prevent injecting different SIDs
-rw-r--r--ubus.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/ubus.c b/ubus.c
index 3c11246..0d41c2d 100644
--- a/ubus.c
+++ b/ubus.c
@@ -250,8 +250,11 @@ static void uh_ubus_send_request(struct client *cl, json_object *obj, const char
int ret, rem;
blob_buf_init(&req, 0);
- blobmsg_for_each_attr(cur, args, rem)
+ blobmsg_for_each_attr(cur, args, rem) {
+ if (!strcmp(blobmsg_name(cur), "ubus_rpc_session"))
+ return uh_ubus_json_error(cl, ERROR_PARAMS);
blobmsg_add_blob(&req, cur);
+ }
blobmsg_add_string(&req, "ubus_rpc_session", sid);