From 8f43daf50c943b98eaf0c542da901a4a16e85b02 Mon Sep 17 00:00:00 2001 From: Richard Lobb Date: Fri, 20 Nov 2020 14:39:27 +1300 Subject: [PATCH] Prevent command injection attacks via the cputime parameter. Fixes issue #39 (https://github.com/trampgeek/jobe/issues/39). Thanks Marlon (myxxl). --- application/libraries/LanguageTask.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/application/libraries/LanguageTask.php b/application/libraries/LanguageTask.php index 25cbd7e..4df14f4 100644 --- a/application/libraries/LanguageTask.php +++ b/application/libraries/LanguageTask.php @@ -324,17 +324,25 @@ public function run_in_sandbox($wrappedCmd, $iscompile=true, $stdin=null) { /* * Get the value of the job parameter $key, which is taken from the - * value copied into $this from the run request if present of from the + * value copied into $this from the run request if present or from the * system defaults otherwise. + * If a non-numeric value is provided for a parameter that has a numeric + * default, the default is used instead. This prevents command injection + * as per issue #39 (https://github.com/trampgeek/jobe/issues/39). Thanks + * Marlon (myxl). * If $iscompile is true and the parameter value is less than that specified * in $min_params_compile (except if it's 0 meaning no limit), the minimum * value is used instead. */ protected function getParam($key, $iscompile=false) { + $default = $this->default_params[$key]; if (isset($this->params) && array_key_exists($key, $this->params)) { $param = $this->params[$key]; + if (is_numeric($default) && !is_numeric($param)) { + $param = $default; // Prevent command injection attacks. + } } else { - $param = $this->default_params[$key]; + $param = $default; } // ** BUG ** The min_params_compile value is being applied even if // this is not a compile. I'm reluctant to fix, however, as it may @@ -347,6 +355,7 @@ protected function getParam($key, $iscompile=false) { } + // Check if PHP exec environment includes a PATH. If not, set up a // default, or gcc misbehaves. [Thanks to Binoj D for this bug fix, // needed on his CentOS system.]