Permalink
Browse files

Better commands sanitization to limit admin rights.

  • Loading branch information...
cdujeu committed May 1, 2015
1 parent 8346673 commit 2049254e7a215491019d2646a274a8fb1cf29e3b
@@ -271,8 +271,10 @@ public function switchWebSocketOn($params)
throw new Exception("Web Socket server seems to already be running!");
}
}
$cmd = ConfService::getCoreConf("CLI_PHP")." ws-server.php -host=".$params["WS_SERVER_BIND_HOST"]." -port=".$params["WS_SERVER_BIND_PORT"]." -path=".$params["WS_SERVER_PATH"];
$host = escapeshellarg($params["WS_SERVER_BIND_HOST"]);
$port = escapeshellarg($params["WS_SERVER_BIND_PORT"]);
$path = escapeshellarg($params["WS_SERVER_PATH"]);
$cmd = ConfService::getCoreConf("CLI_PHP")." ws-server.php -host=".$host." -port=".$port." -path=".$path;
chdir(AJXP_INSTALL_PATH.DIRECTORY_SEPARATOR.AJXP_PLUGINS_FOLDER.DIRECTORY_SEPARATOR."core.mq");
$process = AJXP_Controller::runCommandInBackground($cmd, null);
if ($process != null) {
@@ -134,7 +134,7 @@ public function mountFS()
$UNC_PATH = $this->getOption("UNC_PATH", $user, $password, false);
$MOUNT_OPTIONS = $this->getOption("MOUNT_OPTIONS", $user, $password);
$cmd = ($MOUNT_SUDO? "sudo ": ""). "mount -t " .$MOUNT_TYPE. (empty( $MOUNT_OPTIONS )? " " : " -o " .$MOUNT_OPTIONS. " " ) .$UNC_PATH. " " .$MOUNT_POINT;
$cmd = ($MOUNT_SUDO? "sudo ": ""). "mount -t " .$MOUNT_TYPE. (empty( $MOUNT_OPTIONS )? " " : " -o " .escapeshellarg($MOUNT_OPTIONS). " " ) .escapeshellarg($UNC_PATH). " " .escapeshellarg($MOUNT_POINT);
$res = null;
if($this->getOption("MOUNT_ENV_PASSWD") == true){
putenv("PASSWD=$password");
@@ -177,7 +177,7 @@ public function umountFS()
$MOUNT_POINT = $this->getOption("MOUNT_POINT", $user, $password);
$MOUNT_SUDO = $this->options["MOUNT_SUDO"];
system(($MOUNT_SUDO?"sudo":"")." umount ".$MOUNT_POINT, $res);
system(($MOUNT_SUDO?"sudo":"")." umount ".escapeshellarg($MOUNT_POINT), $res);
if($this->getOption("REMOVE_MOUNTPOINT_ON_UNMOUNT") == true && $res == 0 && !is_file($MOUNT_POINT."/.ajxp_mount")){
// Remove mount point
$testRm = @rmdir($MOUNT_POINT);
@@ -191,12 +191,13 @@ public function switchAction($actionName, $httpVars, $filesVars)
header("Cache-Control: private",false);
}
$realFile = escapeshellarg($realFile);
$revision = escapeshellarg($revision);
system( (SVNLIB_PATH!=""?SVNLIB_PATH."/":"") ."svn cat -r$revision $realFile");
exit(0);
} else if ($actionName == "revert_file") {
$revision = escapeshellarg($httpVars["revision"]);
$realFile = $init["SELECTION"][0];
$realFile = $init["SELECTION"][0];
$compare = (isSet($httpVars["compare"]) && $httpVars["compare"] == "true");
$escapedFile = escapeshellarg($realFile);
if ($compare) {

3 comments on commit 2049254

@wizardbeard

This comment has been minimized.

Copy link

wizardbeard replied Oct 5, 2015

Calling sudo from PHP is ridiculous. Nobody should be doing that, and they shouldn't be using your platform until this is changed.

@cdujeu

This comment has been minimized.

Copy link
Member Author

cdujeu replied Oct 5, 2015

Hi @wizardbeard
Thanks for your comment. Some remarks:

  1. This plugin is not active anywhere unless you deliberately want to use it.
  2. Then if you want to use it, you read the doc of the plugin and eventually activate the "MOUNT_SUDO" option if you really need to. In the docs, it explains how you have to actually configure sudo to allow the usage of the mount command to apache. And nothing more.
  3. From there all variables are sanitized and escaped.
    If you have a better solution, please fill free to contribute by a PR to provide an auto-mount feature of a remote file system that does not require using sudo in any case.
    Best
    Charles
@Xe

This comment has been minimized.

Copy link

Xe replied Oct 24, 2015

@wizardbeard #972 will be of interest to you.

Please sign in to comment.