This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 088b7f4f3f6be2ccc082d26214bbc9daf86879bc (commit) via 76e26c7f69dab295682452ff260e0e17335957de (commit) via 0023f8a92b000d8714cc2dc8a9379f0fd0b965af (commit) via b8fdc7398ce7ae1852e019e2f8773f95125619ed (commit) via 614764e58af6dd710658fd072ed9b3a1b51f805a (commit) via 7f6257e0a475681ff243ead159cafee2e03f6265 (commit) from 924b48c7890ef573c1400474ef92951fb9cf3ded (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 088b7f4f3f6be2ccc082d26214bbc9daf86879bc Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Sep 13 14:45:05 2018 +0100
core124: Ship updated unbound
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 76e26c7f69dab295682452ff260e0e17335957de Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Sep 11 20:07:14 2018 +0200
unbound: Update to 1.8.0
For details see:
https://nlnetlabs.nl/svn/unbound/tags/release-1.8.0/doc/Changelog
and
https://nlnetlabs.nl/projects/unbound/download/
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0023f8a92b000d8714cc2dc8a9379f0fd0b965af Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Sep 13 14:41:21 2018 +0100
core124: Ship updated backup.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b8fdc7398ce7ae1852e019e2f8773f95125619ed Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Sep 13 14:37:51 2018 +0100
static-routes: Make it clear that we are reloading routes
When RED is brought down, we will reload all static routes.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 614764e58af6dd710658fd072ed9b3a1b51f805a Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Aug 30 10:28:45 2018 +0100
backup: Sanitise content of ADDON variable
References: #11830
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7f6257e0a475681ff243ead159cafee2e03f6265 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Aug 30 10:20:06 2018 +0100
backup: Sanitise FILE parameter
This parameter was passed to some shell commands without any sanitisation which allowed an attacker who was authenticated to the web UI to download arbitrary files from some directories and delete any file from the filesystem.
References: #11830
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/unbound | 4 +- config/rootfiles/core/124/filelists/files | 3 + .../{oldcore/106 => core/124}/filelists/unbound | 0 html/cgi-bin/backup.cgi | 109 +++++++++++++-------- lfs/unbound | 4 +- .../networking/red.down/10-static-routes | 4 +- src/initscripts/system/static-routes | 4 +- 7 files changed, 81 insertions(+), 47 deletions(-) copy config/rootfiles/{oldcore/106 => core/124}/filelists/unbound (100%)
Difference in files: diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index f3172f028..9f7c512db 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -10,8 +10,8 @@ etc/unbound/unbound.conf #usr/include/unbound.h #usr/lib/libunbound.la #usr/lib/libunbound.so -usr/lib/libunbound.so.2 -usr/lib/libunbound.so.2.5.11 +usr/lib/libunbound.so.8 +usr/lib/libunbound.so.8.0.0 #usr/lib/pkgconfig/libunbound.pc usr/sbin/unbound usr/sbin/unbound-anchor diff --git a/config/rootfiles/core/124/filelists/files b/config/rootfiles/core/124/filelists/files index cfd300dce..e3e295706 100644 --- a/config/rootfiles/core/124/filelists/files +++ b/config/rootfiles/core/124/filelists/files @@ -3,11 +3,14 @@ etc/issue etc/rc.d/helper/aws-setup etc/rc.d/init.d/aws etc/rc.d/init.d/localnet +etc/rc.d/init.d/networking/red.down/10-static-routes etc/rc.d/init.d/partresize +etc/rc.d/init.d/static-routes etc/sysctl.conf etc/unbound/unbound.conf opt/pakfire/lib/functions.pl opt/pakfire/pakfire +srv/web/ipfire/cgi-bin/backup.cgi srv/web/ipfire/cgi-bin/firewall.cgi srv/web/ipfire/cgi-bin/fwhosts.cgi srv/web/ipfire/cgi-bin/ids.cgi diff --git a/config/rootfiles/core/124/filelists/unbound b/config/rootfiles/core/124/filelists/unbound new file mode 120000 index 000000000..66adf0924 --- /dev/null +++ b/config/rootfiles/core/124/filelists/unbound @@ -0,0 +1 @@ +../../../common/unbound \ No newline at end of file diff --git a/html/cgi-bin/backup.cgi b/html/cgi-bin/backup.cgi index 86e21cf34..2a036279d 100644 --- a/html/cgi-bin/backup.cgi +++ b/html/cgi-bin/backup.cgi @@ -24,6 +24,7 @@ use strict; #use warnings; #use CGI::Carp 'fatalsToBrowser'; use File::Copy; +use File::Basename;
require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; @@ -58,44 +59,25 @@ system("/usr/local/bin/backupctrl makedirs >/dev/null 2>&1 ") unless ( -e '/var/ ############################################################################################################################ ############################################## System calls ohne Http Header ###############################################
-# Replace slashes from filename -$cgiparams{'FILE'} =~ s////; - -if ( $cgiparams{'ACTION'} eq "download" ) -{ - open(DLFILE, "</var/ipfire/backup/$cgiparams{'FILE'}") or die "Unable to open $cgiparams{'FILE'}: $!"; - my @fileholder = <DLFILE>; - print "Content-Type:application/x-download\n"; - my @fileinfo = stat("/var/ipfire/backup/$cgiparams{'FILE'}"); - print "Content-Length:$fileinfo[7]\n"; - print "Content-Disposition:attachment;filename=$cgiparams{'FILE'}\n\n"; - print @fileholder; - exit (0); -} -if ( $cgiparams{'ACTION'} eq "downloadiso" ) -{ - open(DLFILE, "</var/tmp/backupiso/$cgiparams{'FILE'}") or die "Unable to open $cgiparams{'FILE'}: $!"; - my @fileholder = <DLFILE>; - print "Content-Type:application/x-download\n"; - my @fileinfo = stat("/var/tmp/backupiso/$cgiparams{'FILE'}"); - print "Content-Length:$fileinfo[7]\n"; - print "Content-Disposition:attachment;filename=$cgiparams{'FILE'}\n\n"; - print @fileholder; - exit (0); -} -if ( $cgiparams{'ACTION'} eq "downloadaddon" ) -{ - open(DLFILE, "</var/ipfire/backup/addons/backup/$cgiparams{'FILE'}") or die "Unable to open $cgiparams{'FILE'}: $!"; - my @fileholder = <DLFILE>; - print "Content-Type:application/x-download\n"; - my @fileinfo = stat("/var/ipfire/backup/addons/backup/$cgiparams{'FILE'}"); - print "Content-Length:$fileinfo[7]\n"; - print "Content-Disposition:attachment;filename=$cgiparams{'FILE'}\n\n"; - print @fileholder; - exit (0); -} -elsif ( $cgiparams{'ACTION'} eq "restore" ) -{ +if ($cgiparams{'ACTION'} eq "download") { + my $file = &sanitise_file($cgiparams{'FILE'}); + exit(1) unless defined($file); + + &deliver_file($file); + exit(0); +} elsif ($cgiparams{'ACTION'} eq "downloadiso") { + my $file = &sanitise_file($cgiparams{'FILE'}); + exit(1) unless defined($file); + + &deliver_file($file); + exit(0); +} elsif ($cgiparams{'ACTION'} eq "downloadaddon") { + my $file = &sanitise_file($cgiparams{'FILE'}); + exit(1) unless defined($file); + + &deliver_file($file); + exit(0); +} elsif ( $cgiparams{'ACTION'} eq "restore") { my $upload = $a->param("UPLOAD"); open UPLOADFILE, ">/tmp/restore.ipf"; binmode $upload; @@ -142,11 +124,22 @@ if ( $cgiparams{'ACTION'} eq "backup" ) } if ( $cgiparams{'ACTION'} eq "addonbackup" ) { + # Exit if there is any dots or slashes in the addon name + exit(1) if ($cgiparams{'ADDON'} =~ /(.|/)/); + + # Check if the addon exists + exit(1) unless (-e "/var/ipfire/backup/addons/includes/$cgiparams{'ADDON'}"); + system("/usr/local/bin/backupctrl addonbackup $cgiparams{'ADDON'} >/dev/null 2>&1"); } elsif ( $cgiparams{'ACTION'} eq "delete" ) { - system("/usr/local/bin/backupctrl $cgiparams{'FILE'} >/dev/null 2>&1"); + my $file = &sanitise_file($cgiparams{'FILE'}); + exit(1) unless defined($file); + + $file = &File::Basename::basename($file); + + system("/usr/local/bin/backupctrl $file >/dev/null 2>&1"); }
############################################################################################################################ @@ -340,3 +333,41 @@ END &Header::closebox(); &Header::closebigbox(); &Header::closepage(); + +sub sanitise_file() { + my $file = shift; + + # Filenames cannot contain any slashes + return undef if ($file =~ ///); + + # File must end with .ipf or .iso + return undef unless ($file =~ /.(ipf|iso)$/); + + # Convert to absolute path + if (-e "/var/ipfire/backup/$file") { + return "/var/ipfire/backup/$file"; + } elsif (-e "/var/ipfire/backup/addons/backup/$file") { + return "/var/ipfire/backup/addons/backup/$file"; + } elsif (-e "/var/tmp/backupiso/$file") { + return "/var/tmp/backupiso/$file"; + } + + # File does not seem to exist + return undef; +} + +sub deliver_file() { + my $file = shift; + my @stat = stat($file); + + # Print headers + print "Content-Disposition: attachment; filename=" . &File::Basename::basename($file) . "\n"; + print "Content-Type: application/octet-stream\n"; + print "Content-Length: $stat[7]\n"; + print "\n"; + + # Deliver content + open(FILE, "<$file") or die "Unable to open $file: $!"; + print <FILE>; + close(FILE); +} diff --git a/lfs/unbound b/lfs/unbound index b4c1b02f3..ae2795e0e 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -24,7 +24,7 @@
include Config
-VER = 1.7.3 +VER = 1.8.0
THISAPP = unbound-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = ea45068fb27ef358f581227b99645525 +$(DL_FILE)_MD5 = 495ffdff55a53ff1735fb58e956c1945
install : $(TARGET)
diff --git a/src/initscripts/networking/red.down/10-static-routes b/src/initscripts/networking/red.down/10-static-routes index f8f00a7d1..650557a47 100644 --- a/src/initscripts/networking/red.down/10-static-routes +++ b/src/initscripts/networking/red.down/10-static-routes @@ -1,4 +1,4 @@ #!/bin/bash
-# Update the static routes. -exec /etc/rc.d/init.d/static-routes start +# Update the static routes +exec /etc/rc.d/init.d/static-routes reload diff --git a/src/initscripts/system/static-routes b/src/initscripts/system/static-routes index 940a7b45c..84e3e3d29 100644 --- a/src/initscripts/system/static-routes +++ b/src/initscripts/system/static-routes @@ -42,7 +42,7 @@ function create_all_routes() { CONFIGFILE="/var/ipfire/main/routing"
case "${1}" in - start) + start|reload) boot_mesg "Adding static routes..."
# First, initialize the table @@ -61,7 +61,7 @@ case "${1}" in ;;
*) - echo "Usage: ${0} {start|stop}" + echo "Usage: ${0} {start|stop|reload}" exit 1 ;; esac
hooks/post-receive -- IPFire 2.x development tree