Autres/RaspAP
1
0
Fork 0
mirror of https://github.com/billz/raspap-webgui.git synced 2025-07-09 20:57:40 +02:00
Code Issues Releases Wiki Activity

Fix: Sanitize $peer_conf before output to header

Browse Source
This commit is contained in:
billz 2025-03-20 02:04:00 -07:00
parent c53c1a27a4
commit 795d55a2cd
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/img/wg-qr-code.php
View File

@ -13,6 +13,7 @@ if (!isset($_SERVER['HTTP_REFERER'])) {
exec("sudo cat " .RASPI_WIREGUARD_PATH.'client.conf', $return); exec("sudo cat " .RASPI_WIREGUARD_PATH.'client.conf', $return);
$peer_conf = implode(PHP_EOL,$return); $peer_conf = implode(PHP_EOL,$return);
$peer_conf.= PHP_EOL; $peer_conf.= PHP_EOL;
$peer_conf_sanitized = str_replace(["\r", "\n"], '', $peer_conf);
$command = "qrencode -t svg -m 0 -o - " . mb_escapeshellarg($peer_conf); $command = "qrencode -t svg -m 0 -o - " . mb_escapeshellarg($peer_conf);
$svg = shell_exec($command); $svg = shell_exec($command);
$etag = hash('sha256', $peer_conf); $etag = hash('sha256', $peer_conf);
@ -23,6 +24,6 @@ header("Content-Type: image/svg+xml");
header("Content-Length: $content_length"); header("Content-Length: $content_length");
header("Last-Modified: $last_modified"); header("Last-Modified: $last_modified");
header("ETag: \"$etag\""); header("ETag: \"$etag\"");
header("X-QR-Code-Content: $peer_conf"); header("X-QR-Code-Content: $peer_conf_sanitized");
echo shell_exec($command); echo shell_exec($command);