From ea1e22613edf2ffa5e6fed6914bb35df04ccde47 Mon Sep 17 00:00:00 2001 From: Anton Reutov Date: Tue, 27 Jul 2021 14:42:25 +0300 Subject: [PATCH] Restrict v-make-tmp-file to tmp folder --- web/api/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/api/index.php b/web/api/index.php index 80f72b99e..b19693670 100644 --- a/web/api/index.php +++ b/web/api/index.php @@ -104,7 +104,7 @@ if (isset($_POST['user']) || isset($_POST['hash'])) { // Check command if ($cmd == "'v-make-tmp-file'") { // Used in DNS Cluster - $fp = fopen($_POST['arg2'], 'w'); + $fp = fopen('/tmp/'.basename($_POST['arg2']), 'w'); fwrite($fp, $_POST['arg1']."\n"); fclose($fp); $return_var = 0;