path traversal fix

author: kaotisk <kaotisk@arching-kaos.org> 2024-07-21 08:38:41 +0300
committer: kaotisk <kaotisk@arching-kaos.org> 2024-07-21 08:38:41 +0300
commit: a32f9ab57ce918bcb215f4037cc61798aac42498 (patch)
tree: 751ab31be74f862302845ab57e1c35c33d0a4320 /lib
parent: 71f580970272550e316d6b006c43dd417849f50c (diff)
download: arching-kaos-tools-a32f9ab57ce918bcb215f4037cc61798aac42498.tar.gz
arching-kaos-tools-a32f9ab57ce918bcb215f4037cc61798aac42498.tar.bz2
arching-kaos-tools-a32f9ab57ce918bcb215f4037cc61798aac42498.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/lib/_ak_settings b/lib/_ak_settings
index 500b34f..1a4be03 100755
--- a/lib/_ak_settings
+++ b/lib/_ak_settings
@@ -12,6 +12,12 @@ _ak_settings_get(){
             _ak_log_error "No ungrouped settings allowed"
             exit 1
         fi
+        echo $1 | grep '\.\.' > /dev/null 2>&1
+        if [ $? -eq 0 ]
+        then
+            _ak_log_error "No '..' allowed"
+            exit 1
+        fi
         subset="$(echo $1 | cut -d '.' -f 1)"
         echo "$subset" | grep '[.\-\*/~!@#$%^&*()_=\-\>\<,{}[]]' > /dev/null 2>&1
         if [ $? -eq 0 ]
@@ -50,6 +56,12 @@ _ak_settings_get(){
 _ak_settings_set(){
     if [ ! -z "$1" ] && [ -n "$1" ]
     then
+        echo $1 | grep '\.\.' > /dev/null 2>&1
+        if [ $? -eq 0 ]
+        then
+            _ak_log_error "No '..' allowed"
+            exit 1
+        fi
         if [ ! -z "$2" ] && [ -n "$2" ]
         then
             cd $AK_SETTINGS
author	kaotisk <kaotisk@arching-kaos.org>	2024-07-21 08:38:41 +0300
committer	kaotisk <kaotisk@arching-kaos.org>	2024-07-21 08:38:41 +0300
commit	a32f9ab57ce918bcb215f4037cc61798aac42498 (patch)
tree	751ab31be74f862302845ab57e1c35c33d0a4320 /lib
parent	71f580970272550e316d6b006c43dd417849f50c (diff)
download	arching-kaos-tools-a32f9ab57ce918bcb215f4037cc61798aac42498.tar.gz arching-kaos-tools-a32f9ab57ce918bcb215f4037cc61798aac42498.tar.bz2 arching-kaos-tools-a32f9ab57ce918bcb215f4037cc61798aac42498.zip