Fix uncontrolled control input vulnerability

Shamal Faily · Shamal Faily · commit 974e8cc72dd6 · 2025-12-30T22:37:13.000Z
diff --git a/dockerLaTeX/LaTeXApi.py b/dockerLaTeX/LaTeXApi.py
@@ -4,15 +4,20 @@
 
 app = Flask(__name__)
 
+allowedCommands = set(['docbook2html','docbook2rtf','dblatex','pandoc'])
+
 @app.route('/latexApi', methods=['POST'])
 def index():
   try:
     dockBookCmd = request.values.get('docBookCmd')
+    if not docBookCmd:
+      abort(400)
+    if (docBookCmd.split(' ')[0] not in allowedCommands):
+      abort(400)
     os.system(dockBookCmd)
     return "Success"
-  except:
+  except Exception:
     abort(500)
 
-
 if __name__ == '__main__':
-  app.run(host="0.0.0.0", debug=True)
+  app.run(host="0.0.0.0")
