_isIPv4 vulnerability based on existing files in /acme.sh

[Hossy]

Steps to reproduce

1. touch /acme.sh/1
2. Make request for *.*.*.*

https://github.com/acmesh-official/acme.sh/blob/master/acme.sh#L4266

Recommend pulling out the 'not all number' check like this:

  if [ "$1" != "$(echo "$1" | tr -cd '[0-9].')" ]; then
    #not all number
    return 1
  fi
  for seg in $(echo "$1" | tr '.' ' '); do

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[Hossy]

Alternatively, this might be a less vulnerable function, POSIX safe, and only return 0 when a valid IPv4 address is provided (the current function returns 0 with "1" or "1.1"):

_isIPv4() {
    # Disable pathname expansion
    set -f

    # Save the current value of IFS
    _isIPv4_saveIFS="$IFS"
    IFS='.'

    # Split the IP into octets
    _chk_ipv4="$1"
    # We specifically want word splitting here.  We have disabled pathname expansion (globbing) with set -f.
    # shellcheck disable=SC2086
    set -- $_chk_ipv4

    # Restore the original value of IFS
    IFS="$_isIPv4_saveIFS"

    # Re-enable pathname expansion
    set +f

    # Check if the IP has exactly 4 octets
    if [ $# -ne 4 ]; then
        # Invalid IPv4 address
        _debug2 "$_chk_ipv4 does not have 4 octets"
        return 1
    fi

    # Validate each octet
    for octet in "$@"; do
        _debug2 octet "$octet"
        # Check if octet is numeric
        if ! [ "$octet" -eq "$octet" ] 2>/dev/null; then
            # octet is not numeric
            return 1
        fi

        # Check if octet is in range 0-255
        if [ "$octet" -lt 0 ] || [ "$octet" -gt 255 ]; then
            # octet is out of range
            return 1
        fi
    done

    # If all checks pass, IP is valid
    return 0
}