Bug #13935
Updated by Jim Pingle over 1 year ago
The code in source:src/etc/inc/config.lib.inc#L291 which restores RRD files from a @config.xml@ backup does not escape the filenames supplied in @config.xml@ XML tags. It should also be doing a @basename()@ for good measure. The code which makes the backup has a similar incorrect method of quoting and though it is not possible for the user to control the parameters in that command, it's still not ideal and should be corrected. This is *only* to ensure the user can't break it with accidental bad data they may have manually edited into those fields against advice. This *is not* a security concern as anyone with access to restore a backup can already do anything and everything they want to the firewall. Reported by: E-mail from @Emir Emir Polat <research@emirpolat.net>@