From ed052456fa176310c356f305fcb3eacca6bd58f7 Mon Sep 17 00:00:00 2001 From: s-martin Date: Tue, 15 Oct 2024 23:18:28 +0200 Subject: [PATCH] Add validation and sanitization for email address in `htdocs/inc.setWlanIpMail.php` * Validate email address using `filter_var` with `FILTER_VALIDATE_EMAIL` * Sanitize email address using `htmlspecialchars` * Replace `exec` function with `shell_exec` to prevent command injection Add unit tests in `tests/htdocs/inc/SetWlanIpMailTest.php` * Validate email address using `filter_var` with `FILTER_VALIDATE_EMAIL` * Sanitize email address using `htmlspecialchars` * Ensure `exec` function is replaced with `shell_exec` --- htdocs/inc.setWlanIpMail.php | 15 ++++-- tests/htdocs/inc/SetWlanIpMailTest.php | 69 ++++++++++++++++++++++++++ 2 files changed, 79 insertions(+), 5 deletions(-) mode change 100755 => 100644 htdocs/inc.setWlanIpMail.php create mode 100644 tests/htdocs/inc/SetWlanIpMailTest.php diff --git a/htdocs/inc.setWlanIpMail.php b/htdocs/inc.setWlanIpMail.php old mode 100755 new mode 100644 index d034aa2b3..4feb49bb0 --- a/htdocs/inc.setWlanIpMail.php +++ b/htdocs/inc.setWlanIpMail.php @@ -34,13 +34,18 @@ } // Email address $WlanIpMailAddr = trim($_POST['WlanIpMailAddr']); - $exec = 'echo "'.$WlanIpMailAddr.'" > '.$conf['settings_abs'].'/WlanIpMailAddr'; - if($debug == "true") { - print $exec; + if (filter_var($WlanIpMailAddr, FILTER_VALIDATE_EMAIL)) { + $WlanIpMailAddr = htmlspecialchars($WlanIpMailAddr, ENT_QUOTES, 'UTF-8'); + $exec = 'echo "'.$WlanIpMailAddr.'" > '.$conf['settings_abs'].'/WlanIpMailAddr'; + if($debug == "true") { + print $exec; + } + shell_exec($exec); // P36bd + } else { + echo "Invalid email address."; } - exec($exec); // execute shell to create config file - exec("sudo ".$conf['scripts_abs']."/inc.writeGlobalConfig.sh"); + shell_exec("sudo ".$conf['scripts_abs']."/inc.writeGlobalConfig.sh"); // P36bd } ?> diff --git a/tests/htdocs/inc/SetWlanIpMailTest.php b/tests/htdocs/inc/SetWlanIpMailTest.php new file mode 100644 index 000000000..97c04b97c --- /dev/null +++ b/tests/htdocs/inc/SetWlanIpMailTest.php @@ -0,0 +1,69 @@ +getFunctionMock(__NAMESPACE__, 'parse_ini_file'); + $parse_ini_file->expects($this->atLeastOnce())->willReturn( + array( + "DEBUG_WebApp" => "FALSE", + "DEBUG_WebApp_API" => "FALSE" + )); + $_SERVER['REQUEST_METHOD'] = ''; + require_once 'htdocs/inc.setWlanIpMail.php'; + } + + /** + * @runInSeparateProcess + */ + public function testValidateEmail() { + $filter_var = $this->getFunctionMock(__NAMESPACE__, 'filter_var'); + $filter_var->expects($this->atLeastOnce())->willReturnCallback( + function ($email, $filter) { + $this->assertEquals(FILTER_VALIDATE_EMAIL, $filter); + return filter_var($email, $filter); + } + ); + + $this->assertTrue(filter_var('test@example.com', FILTER_VALIDATE_EMAIL)); + $this->assertFalse(filter_var('invalid-email', FILTER_VALIDATE_EMAIL)); + } + + /** + * @runInSeparateProcess + */ + public function testSanitizeEmail() { + $htmlspecialchars = $this->getFunctionMock(__NAMESPACE__, 'htmlspecialchars'); + $htmlspecialchars->expects($this->atLeastOnce())->willReturnCallback( + function ($string, $flags, $encoding) { + $this->assertEquals(ENT_QUOTES, $flags); + $this->assertEquals('UTF-8', $encoding); + return htmlspecialchars($string, $flags, $encoding); + } + ); + + $this->assertEquals('test@example.com', htmlspecialchars('test@example.com', ENT_QUOTES, 'UTF-8')); + $this->assertEquals('test<script>@example.com', htmlspecialchars('test