fix: prevent argument injection in OS upgrade via escapeshellcmd misuse by tranquac · Pull Request #2593 · FalconChristmas/fpp

tranquac · 2026-03-28T10:39:39Z

Summary

Fix argument injection / path traversal in the OS upgrade handler by replacing escapeshellcmd with proper input validation.

www/upgradeOS.php uses escapeshellcmd() to sanitize the os GET parameter before passing it to system() with sudo:

$baseFile = escapeshellcmd($_GET['os']);
// ...
system($SUDO . " $TMP_FILE /home/fpp/media/upload/$baseFile", $return_code);

escapeshellcmd() prevents command chaining but does NOT prevent:

Argument injection: Adding flags to the upgrade script
Path traversal: ../../../etc/important_file — targeting files outside the upload directory

Since the command runs with $SUDO, this is a root-level vulnerability.

Note: A similar vulnerability was reported in PR #1006 but was closed without merging.

Use basename() to strip directory components (prevents path traversal)
Validate filename with allowlist regex [a-zA-Z0-9._-] (prevents argument injection)
Applied to both code paths (direct filename and URL-extracted filename)

Type: Argument Injection / Path Traversal with Root Privileges (CWE-88, CWE-22)
OWASP: A03:2021 — Injection
Affected endpoint: www/upgradeOS.php
Risk: Arbitrary file access or script argument manipulation as root

Signed-off-by: tranquac <tranquac@users.noreply.github.com>

fix: prevent argument injection in OS upgrade via escapeshellcmd misuse

2429bd3

Signed-off-by: tranquac <tranquac@users.noreply.github.com>

dkulp merged commit 9bbf886 into FalconChristmas:master Mar 30, 2026