prevent shell injection and use absolute path to scripts

yast · Dec 11, 2018 · d7d82eb · d7d82eb
1 parent 8a21e19
commit d7d82eb
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 51 deletions.
diff --git a/src/include/http-server/wizard-dialog.rb b/src/include/http-server/wizard-dialog.rb
@@ -221,9 +221,7 @@ def WizardSequence3
         )
       )
 
-      hostname = Convert.to_map(
-        SCR.Execute(path(".target.bash_output"), "/bin/hostname")
-      )
+      hostname = SCR.Execute(path(".target.bash_output"), "/usr/bin/hostname")
       Builtins.y2milestone(
         "Hostname : %1",
         Ops.get_string(hostname, "stdout", "")

diff --git a/src/modules/HttpServer.rb b/src/modules/HttpServer.rb
@@ -12,6 +12,8 @@
 require "yast"
 require "yast2/system_service"
 require "y2firewall/firewalld"
+require "shellwords"
+require "fileutils"
 
 module Yast
   class HttpServerClass < Module
@@ -123,7 +125,7 @@ def setWizardMode(w_mode)
       if w_mode == true
         SCR.Execute(
           path(".target.bash"),
-          Builtins.sformat("rm %1%2", Directory.vardir, "/http_server")
+          "/usr/bin/rm #{File.join(Directory.vardir, "/http_server").shellescape}"
         )
         Builtins.y2milestone("Set wizard mode on")
       else
@@ -245,7 +247,7 @@ def Read
       if SCR.Read(path(".target.lstat"), "/etc/sysconfig/apache2") == {}
         if SCR.Execute(
             path(".target.bash"),
-            "cp /var/adm/fillup-templates/sysconfig.apache2 /etc/sysconfig/apache2"
+            "/usr/bin/cp /var/adm/fillup-templates/sysconfig.apache2 /etc/sysconfig/apache2"
           ) != 0
           # translators:: error message
           Report.Error(Message.CannotWriteSettingsTo("/etc/sysconfig/apache2"))
@@ -360,34 +362,24 @@ def Read
       end
       # add DHCP ones, if we can find out the current IP
       devs = NetworkInterfaces.Locate("BOOTPROTO", "dhcp")
-      Builtins.foreach(devs) do |dev|
-        output = Convert.to_map(
-          SCR.Execute(
-            path(".target.bash_output"),
-            Ops.add("/sbin/ifconfig ", dev),
-            { "LC_MESSAGES" => "C" }
-          )
+      devs.each do |dev|
+        output = SCR.Execute(
+          path(".target.bash_output"),
+          "/usr/sbin/ip addr show #{dev.shellescape}",
+          { "LC_MESSAGES" => "C" }
         )
         if Ops.get_integer(output, "exit", -1) == 0
           # lookup the correct line first
-          line = Builtins.splitstring(
-            Ops.get_string(output, "stdout", ""),
-            "\n"
-          )
-          addr = nil
-          Builtins.foreach(line) do |ln|
-            if Builtins.regexpmatch(ln, "^[ \t]*inet addr:")
-              addr = Builtins.regexpsub(
-                ln,
-                "^[ \t]*inet addr:([0-9\\.]+)[ \t]*",
-                "\\1"
-              )
-              Builtins.y2milestone("Found addr: %1", addr)
-              raise Break
-            end
-          end
-
-          Ops.set(@ip2device, addr, dev) if addr != nil && addr != ""
+          lines = Ops.get_string(output, "stdout", "").lines
+          lines.grep(/^\s*inet [0-9.]/)
+          line = lines.first
+          next unless line
+
+          # line looks like
+          #    inet 192.168.0.107/24 brd 192.168.0.255 scope global noprefixroute dynamic eth0
+          addr = line[/^\s*inet\s*([0-9.]+)/, 1]
+          Builtins.y2milestone("Found addr: %1", addr)
+          Ops.set(@ip2device, addr, dev)
         end
       end
 
@@ -487,10 +479,6 @@ def Write
         Report.Error(Message.CannotAdjustService(service.name))
       end
 
-      # configuration test
-      #	map<string, any> test = (map<string, any>)SCR::Execute(.target.bash_output, "apache2ctl conftest");
-      #y2internal("test %1", test);
-
       (@files_to_check + dynamic_files_to_check()).each do |file|
         FileChanges.StoreFileCheckSum(file)
       end
@@ -861,10 +849,10 @@ def backup_vhost_config
       return if @vhost_files_to_backup.empty?
 
       backup_dir = File.join(APACHE_VHOSTS_DIR, "YaSTsave")
-      SCR.Execute(path(".target.bash"), "mkdir #{backup_dir}")
+      ::FileUtils.mkdir_p(backup_dir)
 
       @vhost_files_to_backup.each do |file|
-        SCR.Execute(path(".target.bash"), "cp -a #{file} #{backup_dir}")
+        SCR.Execute(path(".target.bash"), "/usr/bin/cp -a #{file.shellescape} #{backup_dir.shellescape}")
       end
     end
   end

diff --git a/src/modules/HttpServerWidgets.rb b/src/modules/HttpServerWidgets.rb
@@ -11,6 +11,8 @@
 require "yast"
 require "cwm/service_widget"
 
+require "shellwords"
+
 module Yast
   class HttpServerWidgetsClass < Module
 
@@ -997,7 +999,7 @@ def validate_server(hostid, server)
 
     # Reload server
     def ReloadServer
-      SCR.Execute(path(".target.bash"), "rcapache2 reload")
+      SCR.Execute(path(".target.bash"), "/usr/sbin/rcapache2 reload")
 
       nil
     end
@@ -1990,7 +1992,7 @@ def handleVhostDetails(key, event)
             if cert_file != nil &&
                 SCR.Execute(
                   path(".target.bash"),
-                  Builtins.sformat("openssl x509 -in %1", cert_file)
+                  Builtins.sformat("/usr/bin/openssl x509 -in %1", cert_file.shellescape)
                 ) == 0
               UI.ChangeWidget(:certfile, :Value, cert_file)
             else
@@ -2004,11 +2006,10 @@ def handleVhostDetails(key, event)
               "*.key *.pem",
               _("Choose Certificate Key File")
             )
-            #   boolean keyfile = (SCR::Execute(.target.bash, sformat("openssl rsa -in %1", cert_file))==0)?true:false;
             if key_file != nil &&
                 SCR.Execute(
                   path(".target.bash"),
-                  Builtins.sformat("openssl rsa -in %1", key_file)
+                  Builtins.sformat("/usr/bin/openssl rsa -in %1", key_file.shellescape)
                 ) == 0
               UI.ChangeWidget(:keyfile, :Value, key_file)
             else
@@ -3149,16 +3150,12 @@ def handleModules(key, event)
         # list of all installed modules
         all_modules = Builtins.splitstring(
           Ops.get_string(
-            Convert.convert(
-              SCR.Execute(
-                path(".target.bash_output"),
-                Builtins.sformat(
-                  "ls %1|grep \".so$\"|cut -d. -f1|cut -d_ -f2-",
-                  module_dirs
-                )
-              ),
-              :from => "any",
-              :to   => "map <string, any>"
+            SCR.Execute(
+              path(".target.bash_output"),
+              Builtins.sformat(
+                "ls %1|grep \".so$\"|cut -d. -f1|cut -d_ -f2-",
+                module_dirs # do not shellescape as it is multiple files, see above. No shell injection possible.
+              )
             ),
             "stdout",
             ""

diff --git a/src/modules/YaPI/HTTPD.pm b/src/modules/YaPI/HTTPD.pm
@@ -904,7 +904,6 @@ EXAMPLE
 BEGIN { $TYPEINFO{GetModuleList} = ["function", [ "list", "string" ] ]; }
 sub GetModuleList {
     my $self = shift;
-#    my $data = SCR->Read('.sysconfig.apache2.APACHE_MODULES'); # FIXME: Error handling
     my $data = SCR->Execute('.target.bash_output', 'a2enmod -l')->{'stdout'}; # FIXME: Error handling
 
     $data =~ s/mod_//g;