Skip to content

update.php fixes (OS-490)#2685

Open
elibosley wants to merge 1 commit into
7.2from
update-php-file-fixes-7.2
Open

update.php fixes (OS-490)#2685
elibosley wants to merge 1 commit into
7.2from
update-php-file-fixes-7.2

Conversation

@elibosley

@elibosley elibosley commented Jun 29, 2026

Copy link
Copy Markdown
Member

Restrict update.php #file writes to the expected configuration roots (/boot/config, /etc/wireguard) so a write cannot land outside config storage via an absolute path or ...

  • Resolve the target with realpath() (collapsing ../symlinks) and range-check it with a shared in_safe_path() helper.
  • Promote in_safe_path() into Wrappers.php so update.php and FileUpload.php share one implementation (drops the duplicate copy in FileUpload.php).
  • Add a regression test that drives the real update.php and asserts out-of-root targets are refused while legitimate /boot/config writes still succeed.

Relative #file paths are unaffected (still placed under /boot/config/plugins/).

Linear

  • OS-490

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 7ff3a280-f08f-477c-87f4-927ca20d4f05

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch update-php-file-fixes-7.2

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown

🔧 PR Test Plugin Available

A test plugin has been generated for this PR that includes the modified files.

Version: 2026.06.29.2026
Build: View Workflow Run

📥 Installation Instructions:

Install via Unraid Web UI:

  1. Go to Plugins → Install Plugin
  2. Copy and paste this URL:
https://preview.dl.unraid.net/pr-plugins/pr-2685/webgui-pr-2685.plg
  1. Click Install

Alternative: Direct Download

⚠️ Important Notes:

  • Testing only: This plugin is for testing PR changes
  • Backup included: Original files are automatically backed up
  • Easy removal: Files are restored when plugin is removed
  • Conflicts: Remove this plugin before installing production updates
  • Post-merge behavior: This preview stays available after merge until preview storage expires or it is manually cleaned up

📝 Modified Files:

Click to expand file list
emhttp/update.php

🔄 To Remove:

Navigate to Plugins → Installed Plugins and remove webgui-pr-2685, or run:

plugin remove webgui-pr-2685

🤖 This comment is automatically generated and will be updated with each new push to this PR.

@elibosley
elibosley force-pushed the update-php-file-fixes-7.2 branch from 12cd4d4 to 87e4323 Compare June 29, 2026 16:48
@elibosley

elibosley commented Jun 29, 2026

Copy link
Copy Markdown
Member Author

Verifying this change (not committed)

One-line hardening of update.php's #command handler: the realpath-resolved command must stay inside the document root before it runs, so a ../-escape can't execute a binary outside the webgui.

Offline check from the repo root — should print blocked:

php -d short_open_tag=On -r '
  error_reporting(0);
  $_SERVER["DOCUMENT_ROOT"] = getcwd()."/emhttp";
  $_POST = ["#command" => "../../../../../../bin/echo", "#arg" => ["PWNED"]];
  chdir("emhttp"); include "update.php";
' | grep -q PWNED && echo "NOT contained" || echo "blocked"

On a running server: an authenticated POST with #command=../../../../../../bin/touch + #arg[]=/tmp/x must not create /tmp/x, and syslog logs Invalid #command: .... Legit #command scripts under /webGui/scripts and /plugins/*/scripts still run.

@elibosley
elibosley force-pushed the update-php-file-fixes-7.2 branch from 87e4323 to d0597c9 Compare June 29, 2026 17:00
Re-check the resolved #command path stays inside the document root before
executing it, so an authenticated request cannot use realpath() traversal
(e.g. starting at $docroot then '../') to run a binary outside the webgui.

Refs: OS-489
@elibosley
elibosley force-pushed the update-php-file-fixes-7.2 branch from d0597c9 to 286101e Compare June 29, 2026 20:26
@unraid-bot unraid-bot added the 7.2.8 Approved for release 7.2.8 (auto-managed by notification-worker) label Jun 29, 2026
@elibosley elibosley changed the title update.php fixes update.php fixes (OS-490) Jul 8, 2026
@unraid-bot unraid-bot removed the 7.2.8 Approved for release 7.2.8 (auto-managed by notification-worker) label Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants