config: Don't pass configuration file argument to action

Due to security risk that a compromised Plinth process will give adversary the ability to write to any file on the system. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
2026-01-21 07:55:00 +00:00 · 2019-03-01 12:58:21 -08:00 · 2019-03-01 12:58:21 -08:00 · 2aef91b187
commit 2aef91b187
parent d1d3eae3db
2 changed files with 8 additions and 14 deletions
--- a/actions/config
+++ b/actions/config
@ -26,7 +26,8 @@ import os
 import augeas

 from plinth import action_utils
-from plinth.modules.config import APACHE_HOMEPAGE_CONF_FILE_NAME
+from plinth.modules.config import (APACHE_HOMEPAGE_CONF_FILE_NAME,
+                                   FREEDOMBOX_APACHE_CONFIG)


 def parse_arguments():
@ -40,11 +41,8 @@ def parse_arguments():
    set_home_page.add_argument('homepage',
                               help='path to the webserver home page')

-    reset_home_page = subparsers.add_parser(
-        'reset-home-page', help='Reset the homepage of the Apache server.')
-    reset_home_page.add_argument(
-        '--config', default=APACHE_HOMEPAGE_CONF_FILE_NAME,
-        help='(optional) path to the Apache config file')
+    subparsers.add_parser('reset-home-page',
+                          help='Reset the homepage of the Apache server.')

    subparsers.required = True
    return parser.parse_args()
@ -63,12 +61,9 @@ def subcommand_set_home_page(arguments):
    action_utils.webserver_enable('freedombox-apache-homepage')


-def subcommand_reset_home_page(arguments):
-    """Sets the Apache web server's home page to the default - /plinth
-
-    The config file path can be optionally passed as an argument.
-    """
-    config_file = arguments.config
+def subcommand_reset_home_page(_):
+    """Sets the Apache web server's home page to the default - /plinth."""
+    config_file = FREEDOMBOX_APACHE_CONFIG
    default_path = 'plinth'

    aug = augeas.Augeas(
--- a/plinth/modules/config/init.py
+++ b/plinth/modules/config/init.py
@ -124,8 +124,7 @@ def _migrate_home_page_config():
    home_page_path = get_home_page().replace('_', '/')

    # Reset the home page to plinth in freedombox.conf
-    actions.superuser_run(
-        'config', ['reset-home-page', '--config', FREEDOMBOX_APACHE_CONFIG])
+    actions.superuser_run('config', ['reset-home-page'])

    # Write the home page setting into the new conf file
    # This step is run at the end because it reloads the Apache server