fix command injection

snaptec · Feb 5, 2024 · 85a8d8f · 85a8d8f
1 parent 5d2334a
commit 85a8d8f
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/web/settings/mqttapi.php b/web/settings/mqttapi.php
@@ -8,7 +8,7 @@
 		$message = $_GET["message"];
 		# check if topic is allowed to write
 		if(strpos($topic, "/set/") !== false){
-			$command = "mosquitto_pub -h localhost -t '$topic' -m '$message' 2>&1";
+			$command = "mosquitto_pub -h localhost -t " . escapeshellarg($topic) . " -m " . escapeshellarg($message) . " 2>&1";
 			$output = exec($command);
 			# Skip an annoying warning because it doesn't cause any problems
 			$output = str_replace("Warning: Unable to locate configuration directory, default config not loaded.", "", $output);
@@ -29,7 +29,7 @@
 	}
 	# reading topic
 	else{
-		$command = "mosquitto_sub -h localhost -t '$topic' -C 1 -W 1 2>&1";
+		$command = "mosquitto_sub -h localhost -t " . escapeshellarg($topic) . " -C 1 -W 1 2>&1";
 		$output = exec($command);
 		# Skip an annoying warning because it doesn't cause any problems
 		$output = str_replace("Warning: Unable to locate configuration directory, default config not loaded.", "", $output);
@@ -48,4 +48,4 @@
 	http_response_code(400);
 	echo "Error: No 'topic' field provided. \nExample reading a MQTT-Topic: 'http://IP/openWB/web/settings/mqttapi.php?topic=openWB/pv/W' \nExample writing a MQTT-Topic: 'http://IP/openWB/web/settings/mqttapi.php?topic=openWB/set/pv/1/W&message=-1000' ";
 }
-?>
+?>
diff --git a/web/settings/saveconfig.php b/web/settings/saveconfig.php
@@ -142,22 +142,22 @@
 		if( array_key_exists( 'etprovideraktiv', $_POST ) && ($_POST['etprovideraktiv'] == 1) ){ ?>
 			<script>$('#feedbackdiv').append("<br>Update des Stromtarifanbieters gestartet.");</script>
 			<?php
-			exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . $_POST['etprovider'] . "/main.sh >> /var/log/openWB.log 2>&1 &" );
-			exec( 'mosquitto_pub -t openWB/global/ETProvider/modulePath -r -m "' . $_POST['etprovider'] . '"' );
+			exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . escapeshellcmd($_POST['etprovider']) . "/main.sh >> /var/log/openWB.log 2>&1 &" );
+			exec( 'mosquitto_pub -t openWB/global/ETProvider/modulePath -r -m "' . escapeshellarg($_POST['etprovider']) . '"' );
 		}
 
 		// start ev-soc updates if in POST data
 		if( array_key_exists( 'socmodul', $_POST ) && ($_POST['socmodul'] != 'none') ){ ?>
 			<script>$('#feedbackdiv').append("<br>Update SoC-Modul an Ladepunkt 1 gestartet.");</script>
 			<?php
 			file_put_contents($_SERVER['DOCUMENT_ROOT'].'/openWB/ramdisk/soctimer', "20005");
-			exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . $_POST['socmodul'] . "/main.sh > /dev/null &" );
+			exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . escapeshellcmd($_POST['socmodul']) . "/main.sh > /dev/null &" );
 		}
 		if( array_key_exists( 'socmodul1', $_POST ) && ($_POST['socmodul1'] != 'none') ){ ?>
 			<script>$('#feedbackdiv').append("<br>Update SoC-Modul an Ladepunkt 2 gestartet.");</script>
 			<?php
 			file_put_contents($_SERVER['DOCUMENT_ROOT'].'/openWB/ramdisk/soctimer1', "20005");
-			exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . $_POST['socmodul1'] . "/main.sh > /dev/null &" );
+			exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . escapeshellcmd($_POST['socmodul1']) . "/main.sh > /dev/null &" );
 		}
 
 		// check for rfid mode and start/stop handler