scottk/control-pane
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/control-pane.git synced 2025-11-01 02:17:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

use parse_url to get my host via HTTP_HOST

Browse Source
This commit is contained in:
olevole
2023-02-26 21:25:57 +03:00
parent 726525a8ec
commit 7e6a6e60d3
1 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
public/vnc.php
View File

@@ -16,6 +16,7 @@ function runVNC($jname)
// HTTP_HOST is preferred for href // HTTP_HOST is preferred for href
if (isset($_SERVER['HTTP_HOST']) && !empty(trim($_SERVER['HTTP_HOST']))){ if (isset($_SERVER['HTTP_HOST']) && !empty(trim($_SERVER['HTTP_HOST']))){
$nodeip = $_SERVER['HTTP_HOST']; $nodeip = $_SERVER['HTTP_HOST'];
$nodeip = parse_url($nodeip, PHP_URL_HOST);
} else { } else {
# use localhost as fallback in case the HTTP_HOST header is not set # use localhost as fallback in case the HTTP_HOST header is not set
$nodeip = '127.0.0.1'; $nodeip = '127.0.0.1';
@@ -42,4 +43,12 @@ require_once($rp.'/php/db.php');
require_once($rp.'/php/cbsd.php'); require_once($rp.'/php/cbsd.php');
require_once($rp.'/php/validate.php'); require_once($rp.'/php/validate.php');
runVNC(Validate::short_string($_GET['jname'], 32));
$jname = trim(preg_replace('/\t+|\r|\n/', '', $_GET['jname']));
if ($jname != escapeshellcmd($jname)){
Utils::clonos_syslog("cmd.php SHELL ESCAPE:". $jname);
die("Shell escape attempt");
}
runVNC(Validate::long_string($jname));