From 7e6a6e60d33d340f86a1107ffe8c24e81cf3e08c Mon Sep 17 00:00:00 2001
From: olevole <olevole@home.olevole.ru>
Date: Sun, 26 Feb 2023 21:25:57 +0300
Subject: [PATCH] use parse_url to get my host via HTTP_HOST

---
 public/vnc.php | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/public/vnc.php b/public/vnc.php
index f2999a4a..c1279a94 100644
--- a/public/vnc.php
+++ b/public/vnc.php
@@ -1,5 +1,5 @@
 <?php
-
+
 if(!isset($_GET['jname'])){
 	echo 'You forgot to specify a name of jail!';
 	exit;
@@ -10,12 +10,13 @@ function runVNC($jname)
 	$res = (new Db('base','local'))->selectOne("SELECT vnc_password FROM bhyve WHERE jname=?", array([$jname]));
 
 	$pass = ($res !== false) ? $res['vnc_password'] : 'cbsd';
-
+
 	CBSD::run("vm_vncwss jname=%s permit=%s", array($jname, $_SERVER['REMOTE_ADDR']));
 
 	// HTTP_HOST is preferred for href
 	if (isset($_SERVER['HTTP_HOST']) && !empty(trim($_SERVER['HTTP_HOST']))){
 		$nodeip = $_SERVER['HTTP_HOST'];
+		$nodeip = parse_url($nodeip, PHP_URL_HOST);
 	} else {
 		# use localhost as fallback in case the HTTP_HOST header is not set
 		$nodeip = '127.0.0.1';
@@ -41,5 +42,13 @@ $rp = realpath('../');
 require_once($rp.'/php/db.php');
 require_once($rp.'/php/cbsd.php');
 require_once($rp.'/php/validate.php');
-
-runVNC(Validate::short_string($_GET['jname'], 32));
\ No newline at end of file
+
+
+$jname = trim(preg_replace('/\t+|\r|\n/', '', $_GET['jname']));
+
+if ($jname != escapeshellcmd($jname)){
+	Utils::clonos_syslog("cmd.php SHELL ESCAPE:". $jname);
+	die("Shell escape attempt");
+}
+
+runVNC(Validate::long_string($jname));