sanitize params

2026-01-10 15:12:01 -03:30 · 2019-01-04 15:22:56 -07:00 · 2019-01-04 15:22:56 -07:00 · c842e00399
commit c842e00399
parent 7dd4828938
3 changed files with 11 additions and 3 deletions
--- a/bin/ncp-config
+++ b/bin/ncp-config
@ -96,7 +96,7 @@ function config_menu()

    # launch selected ncp_app
    info_app      "$ncp_app" || continue
-    configure_app "$ncp_app" || continue
+    configure_app "$ncp_app" && \
    run_app       "$ncp_app"
    echo "Done. Press any key..."
    read -r
--- a/etc/library.sh
+++ b/etc/library.sh
@ -61,7 +61,7 @@ function configure_app()

        for (( i = 0 ; i < len ; i++ )); do
          # check for invalid characters
-          grep -q "[;&[:space:]]" <<< "${ret_vals[$i]}" && { echo "Invalid characters in field ${vars[$i]}"; break; }
+          grep -q '[\\&#;`|*?~<>^()[{}$&[:space:]]' <<< "${ret_vals[$i]}" && { echo "Invalid characters in field ${vars[$i]}"; return 1; }

          cfg="$(jq ".params[$i].value = \"${ret_vals[$i]}\"" <<<"$cfg")"
        done
--- a/ncp-web/ncp-launcher.php
+++ b/ncp-web/ncp-launcher.php
@ -58,7 +58,15 @@ if ( $_POST['action'] == "launch" && $_POST['config'] )
      or exit('{ "output": "Invalid request" }');

    foreach ($cfg['params'] as $index => $param)
-      $cfg['params'][$index]['value'] = $new_params[$cfg['params'][$index]['id']];
+    {
+      // sanitize
+      $val = trim(escapeshellarg($new_params[$cfg['params'][$index]['id']]),"'");
+      preg_match( '/ /' , $val , $matches )
+        and exit( '{ "output": "Invalid parameters" , "token": "' . getCSRFToken() . '" }' );
+
+      // save
+      $cfg['params'][$index]['value'] = $val;
+    }

    $cfg_str = json_encode($cfg)
      or exit('{ "output": "' . $ncp_app . ' internal error" }');