Browse Source

Don't allow to read ini file everywhere on filesystem.

Signed-off-by: D9ping <D9ping@users.noreply.github.com>
pull/220/head
D9ping 4 years ago
parent
commit
182a6509e9
  1. 3
      ajax/networking/get_int_config.php

3
ajax/networking/get_int_config.php

@ -5,8 +5,7 @@ include_once('../../includes/functions.php');
if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) {
$int = $_POST['interface'];
// FIXME slashes and other forbidden filename characters not stripped. [security]
$int = preg_replace('/[^a-z0-9]/', '', $_POST['interface']);
if(!file_exists(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini')) {
touch(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini');
}

Loading…
Cancel
Save