mirror of
https://github.com/unraid/webgui.git
synced 2026-03-01 05:41:08 -06:00
encryption: include 'escapeshellarg' for script execution
This commit is contained in:
bergware
@@ -1,6 +1,6 @@
|
||||
<?PHP
|
||||
/* Copyright 2005-2023, Lime Technology
|
||||
* Copyright 2012-2023, Bergware International.
|
||||
/* Copyright 2005-2025, Lime Technology
|
||||
* Copyright 2012-2025, Bergware International.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License version 2,
|
||||
@@ -25,60 +25,63 @@ $oldkey = dirname($newkey).'/oldfile';
|
||||
$delkey = !is_file($newkey);
|
||||
$crypto = [];
|
||||
|
||||
foreach (glob('/dev/disk/by-id/*CRYPT-LUKS*',GLOB_NOSORT) as $disk) {
|
||||
foreach (glob('/dev/disk/by-id/*CRYPT-LUKS*', GLOB_NOSORT) as $disk) {
|
||||
$disk = explode('-',$disk);
|
||||
$crypto[] = array_pop($disk);
|
||||
}
|
||||
if (count($crypto)==0) die();
|
||||
if (count($crypto) == 0) die();
|
||||
|
||||
function delete_file(...$file) {
|
||||
array_map('unlink',array_filter($file,'is_file'));
|
||||
array_map('unlink', array_filter($file,'is_file'));
|
||||
}
|
||||
function removeKey($key,$disk) {
|
||||
|
||||
function removeKey($key, $disk) {
|
||||
$match = $slots = 0;
|
||||
$dump = popen("cryptsetup luksDump /dev/$disk",'r');
|
||||
while (($row = fgets($dump))!==false) {
|
||||
if (strncmp($row,'Version:',8)==0) {
|
||||
switch (trim(explode(':',$row)[1])) {
|
||||
$dump = popen("cryptsetup luksDump ".escapeshellarg("/dev/$disk"), 'r');
|
||||
while (($row = fgets($dump)) !== false) {
|
||||
if (strncmp($row,'Version:',8) == 0) {
|
||||
switch (trim(explode(':', $row)[1])) {
|
||||
case 1: $match = '/^Key Slot \d+: ENABLED$/'; break;
|
||||
case 2: $match = '/^\s+\d+: luks2$/'; break;
|
||||
}
|
||||
}
|
||||
if ($match && preg_match($match,$row)) $slots++;
|
||||
if ($match && preg_match($match, $row)) $slots++;
|
||||
}
|
||||
pclose($dump);
|
||||
if ($slots > 1) exec("cryptsetup luksRemoveKey /dev/$disk $key &>/dev/null");
|
||||
if ($slots > 1) exec("cryptsetup luksRemoveKey ".escapeshellarg("/dev/$disk")." ".escapeshellarg($key)." &>/dev/null");
|
||||
}
|
||||
|
||||
function diskname($name) {
|
||||
global $disks;
|
||||
foreach ($disks as $disk) if (strncmp($name,$disk['device'],strlen($disk['device']))==0) return $disk['name'];
|
||||
foreach ($disks as $disk) if (strncmp($name, $disk['device'], strlen($disk['device'])) == 0) return $disk['name'];
|
||||
return $name;
|
||||
}
|
||||
function reply($text,$type) {
|
||||
global $oldkey,$newkey,$delkey;
|
||||
|
||||
function reply($text, $type) {
|
||||
global $oldkey, $newkey, $delkey;
|
||||
$reply = _var($_POST,'#reply');
|
||||
if (realpath(dirname($reply))=='/var/tmp') file_put_contents($reply,$text."\0".$type);
|
||||
if (realpath(dirname($reply)) == '/var/tmp') file_put_contents($reply, $text."\0".$type);
|
||||
delete_file($oldkey);
|
||||
if (_var($_POST,'newinput','text')=='text' || $delkey) delete_file($newkey);
|
||||
if (_var($_POST,'newinput','text') == 'text' || $delkey) delete_file($newkey);
|
||||
die();
|
||||
}
|
||||
|
||||
if (isset($_POST['oldinput'])) {
|
||||
switch ($_POST['oldinput']) {
|
||||
case 'text':
|
||||
file_put_contents($oldkey,base64_decode(_var($_POST,'oldluks')));
|
||||
file_put_contents($oldkey, base64_decode(_var($_POST,'oldluks')));
|
||||
break;
|
||||
case 'file':
|
||||
file_put_contents($oldkey,base64_decode(explode(';base64,',_var($_POST,'olddata','x;base64,'))[1]));
|
||||
file_put_contents($oldkey, base64_decode(explode(';base64,',_var($_POST,'olddata','x;base64,'))[1]));
|
||||
break;
|
||||
}
|
||||
} else {
|
||||
if (is_file($newkey)) copy($newkey,$oldkey);
|
||||
if (is_file($newkey)) copy($newkey, $oldkey);
|
||||
}
|
||||
|
||||
if (is_file($oldkey)) {
|
||||
$disk = $crypto[0]; // check first disk only (key is the same for all disks)
|
||||
exec("cryptsetup luksOpen --test-passphrase --key-file $oldkey /dev/$disk &>/dev/null",$null,$error);
|
||||
exec("cryptsetup luksOpen --test-passphrase --key-file ".escapeshellarg($oldkey)." ".escapeshellarg("/dev/$disk")." &>/dev/null", $null, $error);
|
||||
} else $error = 1;
|
||||
|
||||
if ($error > 0) reply(_('Incorrect existing key'),'warning');
|
||||
@@ -86,24 +89,24 @@ if ($error > 0) reply(_('Incorrect existing key'),'warning');
|
||||
if (isset($_POST['newinput'])) {
|
||||
switch ($_POST['newinput']) {
|
||||
case 'text':
|
||||
file_put_contents($newkey,base64_decode(_var($_POST,'newluks')));
|
||||
file_put_contents($newkey, base64_decode(_var($_POST,'newluks')));
|
||||
$luks = 'luksKey';
|
||||
$data = rawurlencode(_var($_POST,'newluks'));
|
||||
break;
|
||||
case 'file':
|
||||
file_put_contents($newkey,base64_decode(explode(';base64,',_var($_POST,'newdata','x;base64,'))[1]));
|
||||
file_put_contents($newkey, base64_decode(explode(';base64,',_var($_POST,'newdata','x;base64,'))[1]));
|
||||
$luks = 'luksKey=&luksKeyfile';
|
||||
$data = $newkey;
|
||||
break;
|
||||
}
|
||||
$good = $bad = [];
|
||||
foreach ($crypto as $disk) {
|
||||
exec("cryptsetup luksAddKey --key-file $oldkey /dev/$disk $newkey &>/dev/null",$null,$error);
|
||||
if ($error==0) $good[] = $disk; else $bad[] = diskname($disk);
|
||||
exec("cryptsetup luksAddKey --key-file ".escapeshellarg($oldkey)." ".escapeshellarg("/dev/$disk")." ".escapeshellarg($newkey)." &>/dev/null", $null, $error);
|
||||
if ($error == 0) $good[] = $disk; else $bad[] = diskname($disk);
|
||||
}
|
||||
if (count($bad)==0) {
|
||||
if (count($bad) == 0) {
|
||||
// all okay, remove the old key
|
||||
foreach ($good as $disk) removeKey($oldkey,$disk);
|
||||
foreach ($good as $disk) removeKey($oldkey, $disk);
|
||||
exec("emcmd ".escapeshellarg("changeDisk=apply&$luks=$data"));
|
||||
reply(_('Key successfully changed'),'success');
|
||||
} else {
|
||||
|
||||
Reference in New Issue
Block a user