- added blacklisted paths

Marius Burkard · Marius Burkard · commit cb4ddc318c00 · 2020-07-24T12:47:43.000+02:00
diff --git a/interface/lib/classes/system.inc.php b/interface/lib/classes/system.inc.php
@@ -68,7 +68,7 @@ public function has_service($userid, $service) {
 	}
 
 	public function is_blacklisted_web_path($path) {
-		$blacklist = array('bin', 'cgi-bin', 'dev', 'etc', 'home', 'lib', 'lib64', 'log', 'ssl', 'usr', 'var');
+		$blacklist = array('bin', 'cgi-bin', 'dev', 'etc', 'home', 'lib', 'lib64', 'log', 'ssl', 'usr', 'var', 'proc', 'net', 'sys', 'srv', 'sbin', 'run');
 
 		$path = ltrim($path, '/');
 		$parts = explode('/', $path);
diff --git a/server/lib/classes/system.inc.php b/server/lib/classes/system.inc.php
@@ -1788,7 +1788,7 @@ function set_immutable($path, $enable = true, $recursive = false) {
 	}
 
 	public function is_blacklisted_web_path($path) {
-		$blacklist = array('bin', 'cgi-bin', 'dev', 'etc', 'home', 'lib', 'lib64', 'log', 'ssl', 'usr', 'var');
+		$blacklist = array('bin', 'cgi-bin', 'dev', 'etc', 'home', 'lib', 'lib64', 'log', 'ssl', 'usr', 'var', 'proc', 'net', 'sys', 'srv', 'sbin', 'run');
 
 		$path = ltrim($path, '/');
 		$parts = explode('/', $path);

Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ public function has_service($userid, $service) {`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`public function is_blacklisted_web_path($path) {`
`71`		`- $blacklist = array('bin', 'cgi-bin', 'dev', 'etc', 'home', 'lib', 'lib64', 'log', 'ssl', 'usr', 'var');`
	`71`	`+ $blacklist = array('bin', 'cgi-bin', 'dev', 'etc', 'home', 'lib', 'lib64', 'log', 'ssl', 'usr', 'var', 'proc', 'net', 'sys', 'srv', 'sbin', 'run');`
`72`	`72`
`73`	`73`	`$path = ltrim($path, '/');`
`74`	`74`	`$parts = explode('/', $path);`
Original file line number	Diff line number	Diff line change
`@@ -1788,7 +1788,7 @@ function set_immutable($path, $enable = true, $recursive = false) {`
`1788`	`1788`	`}`
`1789`	`1789`
`1790`	`1790`	`public function is_blacklisted_web_path($path) {`
`1791`		`- $blacklist = array('bin', 'cgi-bin', 'dev', 'etc', 'home', 'lib', 'lib64', 'log', 'ssl', 'usr', 'var');`
	`1791`	`+ $blacklist = array('bin', 'cgi-bin', 'dev', 'etc', 'home', 'lib', 'lib64', 'log', 'ssl', 'usr', 'var', 'proc', 'net', 'sys', 'srv', 'sbin', 'run');`
`1792`	`1792`
`1793`	`1793`	`$path = ltrim($path, '/');`
`1794`	`1794`	`$parts = explode('/', $path);`