applications/luci-wol: fix XSS

author Jo-Philipp Wich <jow@openwrt.org>

Wed, 24 Nov 2010 05:05:39 +0000 (05:05 +0000)

committer Jo-Philipp Wich <jow@openwrt.org>

Wed, 24 Nov 2010 05:05:39 +0000 (05:05 +0000)
author Jo-Philipp Wich <jow@openwrt.org>
Wed, 24 Nov 2010 05:05:39 +0000 (05:05 +0000)
committer Jo-Philipp Wich <jow@openwrt.org>
Wed, 24 Nov 2010 05:05:39 +0000 (05:05 +0000)
diff --git a/applications/luci-wol/luasrc/model/cbi/wol.lua b/applications/luci-wol/luasrc/model/cbi/wol.lua

index ac73919..30467f4 100644 (file)
--- a/applications/luci-wol/luasrc/model/cbi/wol.lua
+++ b/applications/luci-wol/luasrc/model/cbi/wol.lua
@@ -48,7 +48,7 @@ if has_ewk then
         end
  
         iface:value("", translate("Broadcast on all interfaces"))
-       
+
         for _, e in ipairs(sys.net.devices()) do
                 if e ~= "lo" then iface:value(e) end
         end
@@ -86,7 +86,7 @@ end
  
  function host.write(self, s, val)
         local host = luci.http.formvalue("cbid.wol.1.mac")
-       if host and #host > 0 then
+       if host and #host > 0 and host:match("^[a-fA-F0-9:]+$") then
                 local cmd
                 local util = luci.http.formvalue("cbid.wol.1.binary") or (
                         has_ewk and "/usr/bin/etherwake" or "/usr/bin/wol"
@@ -127,4 +127,3 @@ end
  
  
  return m
-
author	Jo-Philipp Wich <jow@openwrt.org>
	Wed, 24 Nov 2010 05:05:39 +0000 (05:05 +0000)
committer	Jo-Philipp Wich <jow@openwrt.org>
	Wed, 24 Nov 2010 05:05:39 +0000 (05:05 +0000)