check for path transversal

changelog.md

@@ -1,9 +1,11 @@
 
-[v0.64.10](https://github.com/nextcloud/nextcloudpi/commit/f836c87) (2018-10-24) update: update sources
+[v0.64.11](https://github.com/nextcloud/nextcloudpi/commit/89218e5) (2018-10-27) check for path transversal
 
-[v0.64.9](https://github.com/nextcloud/nextcloudpi/commit/b847ad4) (2018-10-23) ncp-config: use simple characters
+[v0.64.10](https://github.com/nextcloud/nextcloudpi/commit/26083e9) (2018-10-24) update: update sources
 
-[v0.64.8 ](https://github.com/nextcloud/nextcloudpi/commit/dceacdf) (2018-10-22) ncp-web: update chinese translations
+[v0.64.9 ](https://github.com/nextcloud/nextcloudpi/commit/54e5c21) (2018-10-23) ncp-config: use simple characters
+
+[v0.64.8 ](https://github.com/nextcloud/nextcloudpi/commit/9d998ae) (2018-10-22) ncp-web: update chinese translations
 
 [v0.64.7 ](https://github.com/nextcloud/nextcloudpi/commit/20a4147) (2018-10-21) ncp-web: update chinese translations
 

ncp.sh

@@ -130,7 +130,8 @@ EOF
   cat > /home/www/ncp-launcher.sh <<'EOF'
 #!/bin/bash
 DIR=/usr/local/etc/ncp-config.d
-test -f $DIR/$1 || { echo "File not found"; exit 1; }
+[[ -f $DIR/$1  ]] || { echo "File not found"; exit 1; }
+[[ "$1" =~ ../ ]] && { echo "Forbidden path"; exit 2; }
 source /usr/local/etc/library.sh
 cd $DIR
 launch_script $1

update.sh

@@ -218,6 +218,18 @@ EOF
   [[ "$( ls -l /etc/php/7.2/fpm/conf.d/*-opcache.ini |  wc -l )" -gt 1 ]] && rm "$( ls /etc/php/7.2/fpm/conf.d/*-opcache.ini | tail -1 )"
   [[ "$( ls -l /etc/php/7.2/cli/conf.d/*-opcache.ini |  wc -l )" -gt 1 ]] && rm "$( ls /etc/php/7.2/cli/conf.d/*-opcache.ini | tail -1 )"
 
+  # update launcher
+  cat > /home/www/ncp-launcher.sh <<'EOF'
+#!/bin/bash
+DIR=/usr/local/etc/ncp-config.d
+[[ -f $DIR/$1  ]] || { echo "File not found"; exit 1; }
+[[ "$1" =~ ../ ]] && { echo "Forbidden path"; exit 2; }
+source /usr/local/etc/library.sh
+cd $DIR
+launch_script $1
+EOF
+  chmod 700 /home/www/ncp-launcher.sh
+
 } # end - only live updates
 
 exit 0