Bug #13935
closed
RRD restore process does not sanitize filenames from backup XML
100%
Description
The code in source:src/etc/inc/config.lib.inc#L291 which restores RRD files from a config.xml backup does not escape the filenames supplied in config.xml XML tags. It should also be doing a basename() for good measure. The code which makes the backup has a similar incorrect method of quoting and though it is not possible for the user to control the parameters in that command, it's still not ideal and should be corrected.
This is only to ensure the user can't break it with accidental bad data they may have manually edited into those fields against advice.
This is not a security concern as anyone with access to restore a backup can already do anything and everything they want to the firewall.
Reported by: E-mail from Emir Polat <research@emirpolat.net>
Updated by Jim Pingle almost 2 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset ca80d18493f8f91b21933ebd6b714215ae1e5e94.
Updated by Jim Pingle almost 2 years ago
- Status changed from Feedback to Resolved
Backup and restore of RRD works as expected on current builds.