only allow pre-defined directories (avoid regex)

Just to be more secure.

only allow pre-defined directories (avoid regex)
Just to be more secure.
60630ac1 · Dietmar Maurer · 43138247 · 60630ac1 · 60630ac1
Commit 60630ac1 authored Apr 10, 2013 by Dietmar Maurer
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 12 deletions

APIDaemon.pm PVE/APIDaemon.pm +7 -6

pveproxy bin/pveproxy +23 -6

No files found.
--- a/PVE/APIDaemon.pm
+++ b/PVE/APIDaemon.pm
@@ -265,16 +265,17 @@ sub handle_request {
 	} 
 	if ($self->{dirs} && ($method eq 'GET')) {
-	    foreach my $dir (keys %{$self->{dirs}}) {
+	    # we only allow simple names
-		# we only allow simple names
+	    if ($uri =~ m!^(/\S+/)([a-zA-Z0-9\-\_\.]+)$!) {
-		if ($uri =~ m/^$dir([a-zA-Z0-9\-\_\.\/]+)$/) {
+		my ($subdir, $file) = ($1, $2);
-		    my $reluri = $1;
+		if (my $dir = $self->{dirs}->{$subdir}) {
-		    $reluri =~ s/\.\./XX/g; # do not allow '..'
+		    my $filename = "$dir$file";
-		    my $filename = "$self->{dirs}->{$dir}$reluri";
 		    my $fh = IO::File->new($filename) ||
 			die "unable to open file '$filename' - $!\n";
 		    send_file_start($self, $reqstate, $filename);
 		    return;
+		} else {
+		    print "FAILED\n"
 		}
 	    }
 	}

--- a/bin/pveproxy
+++ b/bin/pveproxy
@@ -44,11 +44,33 @@ $0 = "pveproxy";
 PVE::APIDaemon::enable_debug() if $opt_debug;
+sub add_dirs {
+    my ($result_hash, $alias, $subdir) = @_;
+    $result_hash->{$alias} = $subdir;
+    my $wanted = sub {
+	my $dir = $File::Find::dir;
+	if ($dir =~m!^$subdir(.*)$!) {
+	    my $name = "$alias$1/";
+	    $result_hash->{$name} = "$dir/";
+	}
+    };
+    find({wanted => $wanted, follow => 0, no_chdir => 1}, $subdir);
+}
 my $cpid;
 my $daemon;
 eval {
+    my $dirs = {};
+    add_dirs($dirs, '/pve2/ext4/', '/usr/share/pve-manager/ext4/');
+    add_dirs($dirs, '/pve2/images/' => '/usr/share/pve-manager/images/');
+    add_dirs($dirs, '/pve2/css/' => '/usr/share/pve-manager/css/');
+    add_dirs($dirs, '/vncterm/' => '/usr/share/vncterm/');
    $daemon = PVE::APIDaemon->new(
 	port => 8006, 
 	keep_alive => 100,
@@ -69,12 +91,7 @@ eval {
 		file => '/usr/share/pve-manager/images/favicon.ico',
 	    },
 	},
-	dirs => {
+	dirs => $dirs,
-	    '/pve2/images/' => '/usr/share/pve-manager/images/',
-	    '/pve2/css/' => '/usr/share/pve-manager/css/',
-	    '/pve2/ext4/' => '/usr/share/pve-manager/ext4/',
-	    '/vncterm/' => '/usr/share/vncterm/',
-	},
    );
 };