openwrt/luci
1
0
Fork 0
mirror of https://github.com/openwrt/luci.git synced 2026-05-31 10:31:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

luci-app-openvpn: security fix

Browse Source 
- fixed a critical path traversal vulnerability in `luci-app-openvpn`,
  that allows authenticated users to upload arbitrary files
  and achieve root code execution.

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit e9ebca7598)
This commit is contained in:
Dirk Brenken
2026-05-10 21:31:10 +02:00
committed by Paul Donald
parent 4361020004
commit 739d307be3
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
applications/luci-app-openvpn/luasrc/controller/openvpn.lua
+8
View File
@@ -19,7 +19,15 @@ function ovpn_upload()
local uci = require("luci.model.uci").cursor()
local upload = http.formvalue("ovpn_file")
local name = http.formvalue("instance_name2")
local basedir = "/etc/openvpn"
-- SECURITY FIX: Validate instance_name2 to prevent path traversal
-- Allow only alphanumeric, underscore, and hyphen (standard UCI naming)
if not name or not name:match("^[a-zA-Z0-9_-]+$") then
http.status(400, "Bad Request")
http.write("Invalid instance name")
return
end
local file = basedir.. "/" ..name.. ".ovpn"
if not fs.stat(basedir) then