mirror of
https://github.com/billz/raspap-webgui.git
synced 2023-10-10 13:37:24 +02:00
Don't allow to read ini file everywhere on filesystem.
Signed-off-by: D9ping <D9ping@users.noreply.github.com>
This commit is contained in:
parent
fb7ba20055
commit
182a6509e9
@ -5,8 +5,7 @@ include_once('../../includes/functions.php');
|
|||||||
|
|
||||||
|
|
||||||
if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) {
|
if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) {
|
||||||
$int = $_POST['interface'];
|
$int = preg_replace('/[^a-z0-9]/', '', $_POST['interface']);
|
||||||
// FIXME slashes and other forbidden filename characters not stripped. [security]
|
|
||||||
if(!file_exists(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini')) {
|
if(!file_exists(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini')) {
|
||||||
touch(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini');
|
touch(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini');
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user