fix(dhcp, hostapd): validate interface names and sanitize shell commands

Author: tulik

includes/configure_client.php

@@ -41,7 +41,7 @@ function DisplayWPAConfig()
 
                 if (preg_match('/delete(\d+)/', $post, $post_match)) {
                     $network = $tmp_networks[$_POST['ssid' . $post_match[1]]];
-                    $netid = $network['index'];
+                    $netid = intval($network['index']);
                     exec('sudo wpa_cli -i ' . $iface . ' disconnect ' . $netid);
                     exec('sudo wpa_cli -i ' . $iface . ' remove_network ' . $netid);
                     unset($tmp_networks[$_POST['ssid' . $post_match[1]]]);

includes/dhcp.php

@@ -87,6 +87,10 @@ function DisplayDHCPConfig()
 function saveDHCPConfig($status)
 {
     $iface = $_POST['interface'];
+    if (!validateInterface($iface)) {
+        $status->addMessage('Invalid interface name provided.', 'danger');
+        return false;
+    }
     $return = 1;
 
     // handle disable dhcp option
@@ -140,7 +144,7 @@ function validateDHCPInput()
     $errors = [];
     define('IFNAMSIZ', 16);
     $iface = $_POST['interface'];
-    if (!preg_match('/^[^\s\/\\0]+$/', $iface)
+    if (!preg_match('/^[a-zA-Z0-9_-]+$/', $iface)
         || strlen($iface) >= IFNAMSIZ
     ) {
         $errors[] = _('Invalid interface name.');
@@ -273,7 +277,9 @@ function updateDnsmasqConfig($iface,$status)
     }
     file_put_contents("/tmp/dnsmasqdata", $config);
     $msg = file_exists(RASPI_DNSMASQ_PREFIX.$iface.'.conf') ? 'updated' : 'added';
-    system('sudo cp /tmp/dnsmasqdata '.RASPI_DNSMASQ_PREFIX.$iface.'.conf', $result);
+    $destination = RASPI_DNSMASQ_PREFIX . escapeshellarg($iface . '.conf');
+    $command = sprintf('sudo cp /tmp/dnsmasqdata %s', $destination);
+    system($command, $result);
     if ($result == 0) {
         $status->addMessage('Dnsmasq configuration for '.$iface.' '.$msg.'.', 'success');
     }
@@ -291,7 +297,9 @@ function updateDnsmasqConfig($iface,$status)
     }
     $config .= PHP_EOL;
     file_put_contents("/tmp/dnsmasqdata", $config);
-    system('sudo cp /tmp/dnsmasqdata '.RASPI_DNSMASQ_PREFIX.'raspap.conf', $result);
+    $destination = escapeshellarg(RASPI_DNSMASQ_PREFIX . 'raspap.conf');
+    $command = sprintf('sudo cp /tmp/dnsmasqdata %s', $destination);
+    system($command, $result);
 
     return $result;
 }
@@ -340,7 +348,9 @@ function updateDHCPConfig($iface,$status)
         $status->addMessage('DHCP configuration for '.$iface.' updated.', 'success');
     }
     file_put_contents("/tmp/dhcpddata", $dhcp_cfg);
-    system('sudo cp /tmp/dhcpddata '.RASPI_DHCPCD_CONFIG, $result);
+    $destination = escapeshellarg(RASPI_DHCPCD_CONFIG);
+    $command = sprintf('sudo cp /tmp/dhcpddata %s', $destination);
+    system($command, $result);
 
     return $result;
 }

includes/hostapd.php

@@ -310,7 +310,7 @@ function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $reg_dom
         $status->addMessage('Unknown interface '.htmlspecialchars($_POST['interface'], ENT_QUOTES), 'danger');
         $good_input = false;
     }
-    if (strlen($_POST['country_code']) !== 0 && strlen($_POST['country_code']) != 2) {
+    if (strlen($_POST['country_code']) !== 0 && !preg_match('/^[A-Z]{2}$/', $_POST['country_code'])) {
         $status->addMessage('Country code must be blank or two characters', 'danger');
         $good_input = false;
     } else {
@@ -330,6 +330,7 @@ function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $reg_dom
     $_POST['max_num_sta'] = $_POST['max_num_sta'] < 1 ? null : $_POST['max_num_sta'];
 
     if ($good_input) {
+        $interface = escapeshellarg($_POST['interface']);
         $return = updateHostapdConfig($ignore_broadcast_ssid,$wifiAPEnable,$bridgedEnable);
 
         if (trim($country_code) != trim($reg_domain)) {
@@ -357,7 +358,9 @@ function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $reg_dom
             scanConfigDir('/etc/dnsmasq.d/','uap0',$status);
             $config = join(PHP_EOL, $config);
             file_put_contents("/tmp/dnsmasqdata", $config);
-            system('sudo cp /tmp/dnsmasqdata '.RASPI_DNSMASQ_PREFIX.$ap_iface.'.conf', $return);
+            $destination = RASPI_DNSMASQ_PREFIX . escapeshellarg($ap_iface . '.conf');
+            $command = sprintf('sudo cp /tmp/dnsmasqdata %s', $destination);
+            system($command, $return);
         } elseif ($bridgedEnable !==1) {
             $dhcp_range = ($syscfg['dhcp-range'] =='') ? getDefaultNetValue('dnsmasq',$ap_iface,'dhcp-range') : $syscfg['dhcp-range'];
             $config = [ '# RaspAP '.$_POST['interface'].' configuration' ];
@@ -370,7 +373,9 @@ function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $reg_dom
             $config[] = PHP_EOL;
             $config = join(PHP_EOL, $config);
             file_put_contents("/tmp/dnsmasqdata", $config);
-            system('sudo cp /tmp/dnsmasqdata '.RASPI_DNSMASQ_PREFIX.$ap_iface.'.conf', $return);
+            $destination = RASPI_DNSMASQ_PREFIX . escapeshellarg($ap_iface . '.conf');
+            $command = sprintf('sudo cp /tmp/dnsmasqdata %s', $destination);
+            system($command, $return);
         }
 
         // Set dhcp values from system config, fallback to default if undefined
@@ -524,7 +529,9 @@ function updateHostapdConfig($ignore_broadcast_ssid,$wifiAPEnable,$bridgedEnable
     $config.= parseUserHostapdCfg();
 
     file_put_contents("/tmp/hostapddata", $config);
-    system("sudo cp /tmp/hostapddata " . RASPI_HOSTAPD_CONFIG, $result);
+    $destination = escapeshellarg(RASPI_HOSTAPD_CONFIG);
+    $command = sprintf("sudo cp /tmp/hostapddata %s", $destination);
+    system($command, $result);
     return $result;
 }