Reject AS path regex containing ; and ".

An AS path regex will be considered as invalid if any of the ; and " characters are used. These characters could be used to inject arbitrary command due to the router command line interpretation. This is a temporary fix for issue #13 while waiting for something better.
author: Guillaume Mazoyer <gmazoyer@gravitons.in> 2016-02-18 10:57:58 +0100
committer: Guillaume Mazoyer <gmazoyer@gravitons.in> 2016-02-18 10:57:58 +0100
commit: 308173ba5281de704aa1deab3625e59bfcf4b73a (patch)
tree: a7ed0793278198f9fd1af5a8cfc568b1b3b4d38f /includes/utils.php
parent: 5ffb6dfcab5af89fc467eefbfceb6e192b97aa5b (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/includes/utils.php b/includes/utils.php
index 96982ea..4dfe132 100644
--- a/includes/utils.php
+++ b/includes/utils.php
@@ -209,10 +209,22 @@ function match_as($as) {
 }
 
 function match_aspath_regex($aspath_regex) {
+  // Empty AS path regex
   if (empty($aspath_regex)) {
     return false;
   }
 
+  // AS path containing a ; (not a valid character)
+  if (strpos($aspath_regex, ';') !== false) {
+    return false;
+  }
+
+  // AS path containing a " (not a valid character, the string is automatically
+  // quoted if needed)
+  if (strpos($aspath_regex, '"') !== false) {
+    return false;
+  }
+
   // TODO: validate a regex with a regex?
   return true;
 }
author	Guillaume Mazoyer <gmazoyer@gravitons.in>	2016-02-18 10:57:58 +0100
committer	Guillaume Mazoyer <gmazoyer@gravitons.in>	2016-02-18 10:57:58 +0100
commit	308173ba5281de704aa1deab3625e59bfcf4b73a (patch)
tree	a7ed0793278198f9fd1af5a8cfc568b1b3b4d38f /includes/utils.php
parent	5ffb6dfcab5af89fc467eefbfceb6e192b97aa5b (diff)