From 795d55a2cd2e0c3e6c162958105cd0eb7cbcb66c Mon Sep 17 00:00:00 2001 From: billz Date: Thu, 20 Mar 2025 02:04:00 -0700 Subject: [PATCH] Fix: Sanitize $peer_conf before output to header --- app/img/wg-qr-code.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/img/wg-qr-code.php b/app/img/wg-qr-code.php index 7a66e6fc..c487fbc1 100755 --- a/app/img/wg-qr-code.php +++ b/app/img/wg-qr-code.php @@ -13,6 +13,7 @@ if (!isset($_SERVER['HTTP_REFERER'])) { exec("sudo cat " .RASPI_WIREGUARD_PATH.'client.conf', $return); $peer_conf = implode(PHP_EOL,$return); $peer_conf.= PHP_EOL; +$peer_conf_sanitized = str_replace(["\r", "\n"], '', $peer_conf); $command = "qrencode -t svg -m 0 -o - " . mb_escapeshellarg($peer_conf); $svg = shell_exec($command); $etag = hash('sha256', $peer_conf); @@ -23,6 +24,6 @@ header("Content-Type: image/svg+xml"); header("Content-Length: $content_length"); header("Last-Modified: $last_modified"); header("ETag: \"$etag\""); -header("X-QR-Code-Content: $peer_conf"); +header("X-QR-Code-Content: $peer_conf_sanitized"); echo shell_exec($command);