Merge pull request #2635 from skarlcf/security/CVE-2023-23596

Mitigate CVE-2023-23596
2024-08-30 18:22:48 +00:00 · 2023-03-08 08:25:38 +10:00 · 2023-03-08 08:25:38 +10:00 · 30076a0e66
commit 30076a0e66
parent 42bd39163a 2ff66ee238
2 changed files with 19 additions and 2 deletions
--- a/backend/internal/access-list.js
+++ b/backend/internal/access-list.js
@ -507,7 +507,7 @@ const internalAccessList = {
 								if (typeof item.password !== 'undefined' && item.password.length) {
 									logger.info('Adding: ' + item.username);

-									utils.exec('/usr/bin/htpasswd -b "' + htpasswd_file + '" "' + item.username + '" "' + item.password + '"')
+									utils.execFile('/usr/bin/htpasswd', ['-b', htpasswd_file, item.username, item.password])
 										.then((/*result*/) => {
 											next();
 										})
--- a/backend/lib/utils.js
+++ b/backend/lib/utils.js
@ -1,4 +1,5 @@
-const exec = require('child_process').exec;
+const exec     = require('child_process').exec;
+const execFile = require('child_process').execFile;

 module.exports = {

@ -16,5 +17,21 @@ module.exports = {
 				}
 			});
 		});
+	},
+
+	/**
+	 * @param   {Array} cmd
+	 * @returns {Promise}
+	 */
+	execFile: function (cmd) {
+		return new Promise((resolve, reject) => {
+			execFile(cmd, function (err, stdout, /*stderr*/) {
+				if (err && typeof err === 'object') {
+					reject(err);
+				} else {
+					resolve(stdout.trim());
+				}
+			});
+		});
 	}
 };