From 9641448888ff8139e3918abf5702499085e84781 Mon Sep 17 00:00:00 2001 From: Lutz Bender Date: Fri, 11 Oct 2024 08:55:53 +0200 Subject: [PATCH] check for valid modules --- web/settings/saveconfig.php | 63 +++++++++++++++++++++++++------------ 1 file changed, 43 insertions(+), 20 deletions(-) diff --git a/web/settings/saveconfig.php b/web/settings/saveconfig.php index b9016b5df..78b23bc0d 100644 --- a/web/settings/saveconfig.php +++ b/web/settings/saveconfig.php @@ -66,6 +66,15 @@ // prepare key/value array $settingsArray = []; + function checkModule($module){ + $modulePath = $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/"; + $path = realpath($modulePath . $module); + if ($path === false || strpos($path, $modulePath) !== 0) { + return false; + } + return basename($path); + } + try { if ( !file_exists($myConfigFile) ) { throw new Exception('Konfigurationsdatei nicht gefunden.'); @@ -98,19 +107,6 @@ } } - // write config to file - $fp = fopen($myConfigFile, "w"); - if ( !$fp ) { - throw new Exception('Konfigurationsdatei konnte nicht geschrieben werden.'); - } - foreach($settingsArray as $key => $value) { - // only save to config if $key has some meaningful length - if( strlen($key) > 0 ){ - fwrite($fp, $key."=".$value."\n"); - } - } - fclose($fp); - // handling of different actions required by some modules // check for manual ev soc module on lp1 @@ -139,25 +135,39 @@ } // start etprovider update if in POST data - if( array_key_exists( 'etprovideraktiv', $_POST ) && ($_POST['etprovideraktiv'] == 1) ){ ?> + if( array_key_exists( 'etprovideraktiv', $_POST ) && ($_POST['etprovideraktiv'] == 1) ){ + $module = checkModule($_POST['etprovider']); + if( $module === false ){ + throw new Exception('Ungültiger ET-Provider: ' . $_POST['etprovider']); + }?> > /var/log/openWB.log 2>&1 &" ); - exec( 'mosquitto_pub -t openWB/global/ETProvider/modulePath -r -m ' . escapeshellarg($_POST['etprovider']) ); + exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . escapeshellcmd($module) . "/main.sh >> /var/log/openWB.log 2>&1 &" ); + exec( 'mosquitto_pub -t openWB/global/ETProvider/modulePath -r -m ' . $module ); } // start ev-soc updates if in POST data - if( array_key_exists( 'socmodul', $_POST ) && ($_POST['socmodul'] != 'none') ){ ?> + if( array_key_exists( 'socmodul', $_POST ) && ($_POST['socmodul'] != 'none') ){ + $module = checkModule($_POST['socmodul']); + if( $module === false ){ + throw new Exception('Ungültiges SoC-Modul: ' . $_POST['socmodul']); + } + ?> /dev/null &" ); + exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . escapeshellcmd($module) . "/main.sh > /dev/null &" ); } - if( array_key_exists( 'socmodul1', $_POST ) && ($_POST['socmodul1'] != 'none') ){ ?> + if( array_key_exists( 'socmodul1', $_POST ) && ($_POST['socmodul1'] != 'none') ){ + $module = checkModule($_POST['socmodul1']); + if( $module === false ){ + throw new Exception('Ungültiges SoC-Modul: ' . $_POST['socmodul1']); + } + ?> /dev/null &" ); + exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . escapeshellcmd($module) . "/main.sh > /dev/null &" ); } // check for rfid mode and start/stop handler @@ -167,6 +177,19 @@ exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/runs/rfid/rfidSetup.sh >> /var/log/openWB.log 2>&1 &" ); } + // write config to file + $fp = fopen($myConfigFile, "w"); + if ( !$fp ) { + throw new Exception('Konfigurationsdatei konnte nicht geschrieben werden.'); + } + foreach($settingsArray as $key => $value) { + // only save to config if $key has some meaningful length + if( strlen($key) > 0 ){ + fwrite($fp, $key."=".$value."\n"); + } + } + fclose($fp); + } catch ( Exception $e ) { $msg = $e->getMessage(); echo "";