diff options
| author | Ted Trask <ttrask01@yahoo.com> | 2009-01-21 22:04:37 +0000 |
|---|---|---|
| committer | Ted Trask <ttrask01@yahoo.com> | 2009-01-21 22:04:37 +0000 |
| commit | e5cdb84647b17427ed0f8afc77ab83af6f537ac0 (patch) | |
| tree | a08a425cb3704fbc75143d09715c6815ed3ec6f6 | |
| parent | 1a930fe2020e3d309f4716c4814d1dd8a92ee03c (diff) | |
| download | acf-core-e5cdb84647b17427ed0f8afc77ab83af6f537ac0.tar.bz2 acf-core-e5cdb84647b17427ed0f8afc77ab83af6f537ac0.tar.xz | |
Added escapespecialcharacters to format.lua to escape shell special characters. Reviewed all calls to io.popen and os.execute to escape special characters. Fixed file uploads in openssl and ipsectools with viewfunctions.lua. Tried to fix openssl renew when subject contains special characters, but not done yet.release-0.4.19
git-svn-id: svn://svn.alpinelinux.org/acf/core/trunk@1687 ab2d0c66-481e-0410-8bed-d214d4d58bed
| -rw-r--r-- | acf-hooks.lua | 3 | ||||
| -rw-r--r-- | lib/format.lua | 12 | ||||
| -rw-r--r-- | lib/fs.lua | 11 | ||||
| -rw-r--r-- | lib/html.lua | 2 | ||||
| -rw-r--r-- | lib/menubuilder.lua | 4 | ||||
| -rw-r--r-- | lib/processinfo.lua | 21 | ||||
| -rw-r--r-- | lib/roles.lua | 2 | ||||
| -rw-r--r-- | lib/viewfunctions.lua | 6 |
8 files changed, 39 insertions, 22 deletions
diff --git a/acf-hooks.lua b/acf-hooks.lua index 41119bf..bae047e 100644 --- a/acf-hooks.lua +++ b/acf-hooks.lua @@ -15,12 +15,13 @@ -- self, CONFFILE, and TEMPFILE -- Example of a general logging function +require("format") local precommit=function(self, conf, temp) local logfile = "/var/log/acf-" .. self.conf.controller .. ".log" fs.write_line_file (logfile, "#---- BEGIN TRANSACTION - " .. os.date() .. "\n" .. self.sessiondata.userinfo.userid .. " modifed " .. conf .. " as follows:") - os.execute ("diff -u " .. conf .. " " .. temp .. " >>" .. logfile) + os.execute ("diff -u " .. format.escapespecialcharacters(conf) .. " " .. format.escapespecialcharacters(temp) .. " >>" .. format.escapespecialcharacters(logfile)) fs.write_line_file (logfile, "\n#---- END TRANSACTION -") end diff --git a/lib/format.lua b/lib/format.lua index 6ef831a..331d112 100644 --- a/lib/format.lua +++ b/lib/format.lua @@ -13,8 +13,14 @@ function dostounix ( str ) return data end +-- Escape Lua magic characters function escapemagiccharacters ( str ) - return string.gsub(str, "[%(%)%.%%%+%-%*%?%[%]%^%$]", "%%%1") + return (string.gsub(str or "", "[%(%)%.%%%+%-%*%?%[%]%^%$]", "%%%1")) +end + +-- Escape shell special characters +function escapespecialcharacters ( str ) + return (string.gsub(str or "", "[~`#%$&%*%(%)\\|%[%]{};\'\"<>/]", "\\%1")) end -- search and remove all blank and commented lines from a string or table of lines @@ -182,7 +188,7 @@ function string_to_table ( text, delimiter) end function md5sum_string ( str) - cmd = "/bin/echo -n " .. str .. "|/usr/bin/md5sum|cut -f 1 -d \" \" " + local cmd = "/bin/echo -n \"" .. format.escapespecialcharacters(str) .. "\"|/usr/bin/md5sum|cut -f 1 -d \" \" " f = io.popen(cmd) local checksum = {} for line in f:lines() do @@ -207,7 +213,7 @@ expand_bash_syntax_vars = function (str) for w in string.gmatch (str, "${[^}]*}" ) do local rvar = string.sub(w,3,-2) local rval = ( deref(rvar) or "nil" ) - str = string.gsub (str, w, rval) + str = string.gsub (str, w, escapespecialcharacters(rval)) end return (str) @@ -7,7 +7,8 @@ module (..., package.seeall) -require ("posix") +require("posix") +require("format") basename = function (string, suffix) string = string or "" @@ -43,7 +44,7 @@ end -- Creates a directory if it doesn't exist function create_directory ( path ) - local cmd = "mkdir -p "..(path or "") + local cmd = "mkdir -p " .. format.escapespecialcharacters(path) local f = io.popen(cmd) f:close() return is_dir(path) @@ -53,7 +54,7 @@ end function create_file ( path ) path = path or "" if dirname(path) and not posix.stat(dirname(path)) then create_directory(dirname(path)) end - local cmd = "touch "..path + local cmd = "touch "..format.escapespecialcharacters(path) local f = io.popen(cmd) f:close() return is_file(path) @@ -116,9 +117,9 @@ end --will return a string with md5sum and filename function md5sum_file ( path ) - cmd = "/usr/bin/md5sum " .. (path or "") + local cmd = "/usr/bin/md5sum "..format.escapespecialcharacters(path) f = io.popen(cmd) - checksum = f:read("*a") + local checksum = f:read("*a") f:close() return checksum end diff --git a/lib/html.lua b/lib/html.lua index 4dac45f..b27bcf1 100644 --- a/lib/html.lua +++ b/lib/html.lua @@ -41,7 +41,7 @@ function html_escape (text ) str = string.gsub (str, "<", "<" ) str = string.gsub (str, ">", ">" ) str = string.gsub (str, "'", "'" ) - return string.gsub (str, '"', """ ) + return (string.gsub (str, '"', """ )) end -- return a name,value pair as a string. diff --git a/lib/menubuilder.lua b/lib/menubuilder.lua index c7ff075..4105db6 100644 --- a/lib/menubuilder.lua +++ b/lib/menubuilder.lua @@ -5,12 +5,14 @@ ]]-- module(..., package.seeall) +require("format") + -- returns a table of the "*.menu" tables -- uses the system "find" command -- startdir should be the app dir. local get_candidates = function (startdir) local t = {} - local fh = io.popen('find ' .. startdir .. ' -name "*.menu"') + local fh = io.popen('find ' .. format.escapespecialcharacters(startdir) .. ' -name "*.menu"') for x in fh:lines() do t[#t + 1] = x end diff --git a/lib/processinfo.lua b/lib/processinfo.lua index 736cfd2..bc8c5dd 100644 --- a/lib/processinfo.lua +++ b/lib/processinfo.lua @@ -1,14 +1,15 @@ module(..., package.seeall) -require("fs") require("posix") +require("fs") +require("format") local path = "PATH=/usr/bin:/bin:/usr/sbin:/sbin " function package_version(packagename) local cmderrors - local f = io.popen( "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin apk_version -vs " .. packagename .." | egrep -v 'acf' 2>/dev/null" ) + local f = io.popen( "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin apk_version -vs " .. format.escapespecialcharacters(packagename) .." | egrep -v 'acf' 2>/dev/null" ) local cmdresult = f:read("*l") if (cmdresult) and (#cmdresult > 0) then cmdresult = (string.match(cmdresult,"^%S*") or "Unknown") @@ -21,7 +22,7 @@ end function process_startupsequence(servicename) local cmderrors - local f = io.popen( "/sbin/rc_status | egrep '^S' | egrep '" .. servicename .."' 2>/dev/null" ) + local f = io.popen( "/sbin/rc_status | egrep '^S' | egrep \"" .. format.escapespecialcharacters(servicename) .."\" 2>/dev/null" ) local cmdresult = f:read("*a") if (cmdresult) and (#cmdresult > 0) then cmdresult = "Service will autostart at next boot (at sequence '" .. string.match(cmdresult,"^%a+(%d%d)") .. "')" @@ -78,8 +79,8 @@ function add_startupsequence(servicename, sequence, kill, system) local cmd = {path, "rc_add"} if kill then cmd[#cmd+1] = "-k" end if system then cmd[#cmd+1] = "-S" end - if sequence then cmd[#cmd+1] = "-s "..sequence end - cmd[#cmd+1] = servicename + if sequence and tonumber(sequence) then cmd[#cmd+1] = "-s "..sequence end + cmd[#cmd+1] = format.escapespecialcharacters(servicename) cmd[#cmd+1] = "2>&1" delete_startupsequence(servicename) local f = io.popen(table.concat(cmd, " ")) @@ -96,7 +97,7 @@ function delete_startupsequence(servicename) if not servicename then cmderrors = "Invalid service name" else - local f = io.popen(path.."rc_delete "..servicename) + local f = io.popen(path.."rc_delete "..format.escapespecialcharacters(servicename)) cmdresult = f:read("*a") f:close() if cmdresult == "" then cmderrors = "Failed to delete sequence" end @@ -108,9 +109,11 @@ end function daemoncontrol (process, action) local cmdresult = "" local cmderrors - if (string.lower(action) == "start") or (string.lower(action) == "stop") or (string.lower(action) == "restart") then + if not process then + cmderrors = "Invalid service name" + elseif (string.lower(action) == "start") or (string.lower(action) == "stop") or (string.lower(action) == "restart") then local file = io.popen( "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin /etc/init.d/" .. - process .. " " .. string.lower(action) .. " 2>&1" ) + format.escapespecialcharacters(process) .. " " .. string.lower(action) .. " 2>&1" ) if file ~= nil then cmdresult = file:read( "*a" ) file:close() @@ -180,7 +183,7 @@ end local function has_pidfile(name) local pid - local f = io.popen(path .. "find /var/run/ -name "..name..".pid") + local f = io.popen(path .. "find /var/run/ -name "..format.escapespecialcharacters(name)..".pid") local file = f:read("*a") f:close() if file and string.find(file, "%w") then diff --git a/lib/roles.lua b/lib/roles.lua index b828458..e57490e 100644 --- a/lib/roles.lua +++ b/lib/roles.lua @@ -12,7 +12,7 @@ guest_role = "GUEST" -- startdir should be the app dir local get_roles_candidates = function (startdir) local t = {} - local fh = io.popen('find ' .. startdir .. ' -name "*.roles"') + local fh = io.popen('find ' .. format.escapespecialcharacters(startdir) .. ' -name "*.roles"') for x in fh:lines() do t[#t + 1] = x end diff --git a/lib/viewfunctions.lua b/lib/viewfunctions.lua index f1c5436..cee6db6 100644 --- a/lib/viewfunctions.lua +++ b/lib/viewfunctions.lua @@ -175,7 +175,11 @@ function displayformstart(myform, page_info) end if myform.descr then io.write('<P CLASS="descr">' .. string.gsub(html.html_escape(myform.descr), "\n", "<BR>") .. "</P>\n") end if myform.errtxt then io.write('<P CLASS="error">' .. string.gsub(html.html_escape(myform.errtxt), "\n", "<BR>") .. "</P>\n") end - io.write('<form action="' .. html.html_escape(myform.action) .. '" method="POST">\n') + io.write('<form action="' .. html.html_escape(myform.action) .. '" ') + if myform.enctype and myform.enctype ~= "" then + io.write('enctype="'..html.html_escape(myform.enctype)..'" ') + end + io.write('method="POST">\n') if myform.value.redir then displayformitem(myform.value.redir, "redir") end |