br0kenpixel/Tricky-Addon-Update-Target-List
1
0
Fork 0
mirror of https://github.com/KOWX712/Tricky-Addon-Update-Target-List.git synced 2025-09-06 06:37:09 +00:00
Code Issues Packages Projects Releases 1 Wiki Activity

Prevent code injection from downloaded keybox file (#23)

Browse Source 
* add sanitization of arbitrary keybox content
This commit is contained in:
Filip Kalný
2025-03-09 02:36:48 +01:00
committed by GitHub
parent 1db0259f36
commit a119c58279
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
module/webui/scripts/menu_option.js
View File

@@ -175,10 +175,11 @@ export async function setupSystemAppMenu() {
// Function to backup previous keybox and set new keybox // Function to backup previous keybox and set new keybox
async function setKeybox(content) { async function setKeybox(content) {
const sanitizedContent = content.replace(/'/g, "'\\''");
try { try {
await execCommand(` await execCommand(`
mv -f /data/adb/tricky_store/keybox.xml /data/adb/tricky_store/keybox.xml.bak 2>/dev/null mv -f /data/adb/tricky_store/keybox.xml /data/adb/tricky_store/keybox.xml.bak 2>/dev/null
echo '${content}' > /data/adb/tricky_store/keybox.xml echo '${sanitizedContent}' > /data/adb/tricky_store/keybox.xml
chmod 644 /data/adb/tricky_store/keybox.xml chmod 644 /data/adb/tricky_store/keybox.xml
`); `);
return true; return true;