fix buggy traversion detection code (hestiacp#2762)

divinity76 · web-flow · commit 352d0b3708d8 · 2022-07-13T17:54:47.000+02:00
* fix buggy traversion detection code ref hestiacp#2760 * same bug here, HESTIA_CMD is not a filepath/command its 2, sudo AND something else
diff --git a/web/api/index.php b/web/api/index.php
@@ -1,5 +1,6 @@
 <?php
 //die("Error: Disabled");
+define('HESTIA_DIR_BIN', '/usr/local/hestia/bin/');
 define('HESTIA_CMD', '/usr/bin/sudo /usr/local/hestia/bin/');
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/helpers.php");
diff --git a/web/download/web-log/index.php b/web/download/web-log/index.php
@@ -26,12 +26,13 @@
     $type = 'error';
 }
 $cmd = implode(" ", array(
-    escapeshellarg(HESTIA_CMD . "v-list-web-domain-" . $type . "log"),
+    '/usr/bin/sudo ' . escapeshellarg(HESTIA_DIR_BIN . "v-list-web-domain-" . $type . "log"),
     // $user is already shell-escaped
     $user,
     escapeshellarg($v_domain),
     "5000",
 ));
+
 passthru($cmd, $return_var);
 if ($return_var != 0) {
     $errstr = "Internal server error: command returned non-zero: {$return_var}: {$cmd}";
diff --git a/web/inc/main.php b/web/inc/main.php
@@ -15,6 +15,7 @@
 
 require 'vendor/autoload.php';
 
+define('HESTIA_DIR_BIN', '/usr/local/hestia/bin/');
 define('HESTIA_CMD', '/usr/bin/sudo /usr/local/hestia/bin/');
 define('DEFAULT_PHP_VERSION', 'php-' . exec('php -r "echo substr(phpversion(),0,3);"'));
 
diff --git a/web/src/app/System/HestiaApp.php b/web/src/app/System/HestiaApp.php
@@ -16,13 +16,13 @@ public function __construct()
 
     public function run(string $cmd, $args, &$cmd_result=null): bool
     {
-        $cli_script = realpath(HESTIA_CMD . '/' . $cmd);
-        if(!str_starts_with((string)$cli_script, HESTIA_CMD."/" )){
-            $errstr = "$cmd is trying to traverse outside of " .HESTIA_CMD;
+        $cli_script = realpath(HESTIA_DIR_BIN . $cmd);
+        if (!str_starts_with((string) $cli_script, HESTIA_DIR_BIN)) {
+            $errstr = "$cmd is trying to traverse outside of " . HESTIA_DIR_BIN;
             trigger_error($errstr);
-            throw new \Exception($errstr);   
+            throw new \Exception($errstr);
         }
-        $cli_script = escapeshellarg($cli_script);
+        $cli_script = '/usr/bin/sudo ' . escapeshellarg($cli_script);
 
         if (!empty($args) && is_array($args)) {
             foreach ($args as $arg) {
