From 92ea4dc8dbeea9617dd3200ce635f455fba7ee33 Mon Sep 17 00:00:00 2001 From: FusionPBX Date: Sun, 22 Mar 2026 03:34:26 +0000 Subject: [PATCH] Add sanitize for the lua copy function --- app/switch/resources/scripts/resources/functions/copy.lua | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/switch/resources/scripts/resources/functions/copy.lua b/app/switch/resources/scripts/resources/functions/copy.lua index b7de95effd..daf56c3f51 100644 --- a/app/switch/resources/scripts/resources/functions/copy.lua +++ b/app/switch/resources/scripts/resources/functions/copy.lua @@ -1,5 +1,9 @@ --add the copy function function copy(src,dst) + --retrieve allowed characters and then use it to sanitize the dir variable + local allowed_chars = os.getenv("ALLOWED_CHARS") or "^%a%d%-%._~/" + dir = dir:gsub("[^" .. allowed_chars .. "]", "") + if (package.config:sub(1,1) == "/") then --unix cmd = [[cp "]] .. src .. [[" "]] .. dst .. [["]];