pfSense

The code in source:src/etc/inc/config.lib.inc#L291 which restores RRD files from a config.xml backup does not escape the filenames supplied in config.xml XML tags. It should also be doing a basename() for good measure. The code which makes the backup has a similar incorrect method of quoting and though it is not possible for the user to control the parameters in that command, it's still not ideal and should be corrected.

This is only to ensure the user can't break it with accidental bad data they may have manually edited into those fields against advice.

This is not a security concern as anyone with access to restore a backup can already do anything and everything they want to the firewall.

Reported by: E-mail from Emir Polat <research@emirpolat.net>