scottk/control-pane
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/control-pane.git synced 2025-10-30 01:22:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

use parse_url to get my host via HTTP_HOST

Browse Source
This commit is contained in:
olevole
2023-02-26 21:25:57 +03:00
parent 726525a8ec
commit 7e6a6e60d3
1 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
public/vnc.php
View File

@@ -1,5 +1,5 @@
<?php
if(!isset($_GET['jname'])){
echo 'You forgot to specify a name of jail!';
exit;
@@ -10,12 +10,13 @@ function runVNC($jname)
$res = (new Db('base','local'))->selectOne("SELECT vnc_password FROM bhyve WHERE jname=?", array([$jname]));
$pass = ($res !== false) ? $res['vnc_password'] : 'cbsd';
CBSD::run("vm_vncwss jname=%s permit=%s", array($jname, $_SERVER['REMOTE_ADDR']));
// HTTP_HOST is preferred for href
if (isset($_SERVER['HTTP_HOST']) && !empty(trim($_SERVER['HTTP_HOST']))){
$nodeip = $_SERVER['HTTP_HOST'];
$nodeip = parse_url($nodeip, PHP_URL_HOST);
} else {
# use localhost as fallback in case the HTTP_HOST header is not set
$nodeip = '127.0.0.1';
@@ -41,5 +42,13 @@ $rp = realpath('../');
require_once($rp.'/php/db.php');
require_once($rp.'/php/cbsd.php');
require_once($rp.'/php/validate.php');
runVNC(Validate::short_string($_GET['jname'], 32));
$jname = trim(preg_replace('/\t+|\r|\n/', '', $_GET['jname']));
if ($jname != escapeshellcmd($jname)){
Utils::clonos_syslog("cmd.php SHELL ESCAPE:". $jname);
die("Shell escape attempt");
}
runVNC(Validate::long_string($jname));