From 0f59bb1afff26578e80eeb1775f9f1d7cac54cf1 Mon Sep 17 00:00:00 2001
From: Yan <yans@yancomm.net>
Date: Sat, 31 Aug 2024 23:58:32 -0700
Subject: [PATCH] let's not be path-injectable

---
 web-security/cmdi-ls-filter/server    | 1 +
 web-security/cmdi-ls-pipe/server      | 1 +
 web-security/cmdi-ls-quote/server     | 1 +
 web-security/cmdi-ls-semicolon/server | 1 +
 web-security/cmdi-touch-blind/server  | 1 +
 web-security/level-2/server           | 1 +
 6 files changed, 6 insertions(+)

diff --git a/web-security/cmdi-ls-filter/server b/web-security/cmdi-ls-filter/server
index e31ff259..33038770 100755
--- a/web-security/cmdi-ls-filter/server
+++ b/web-security/cmdi-ls-filter/server
@@ -39,5 +39,6 @@ def challenge():
         """
 
 os.setuid(os.geteuid())
+os.environ["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 app.secret_key = os.urandom(8)
 app.run("challenge.localhost", 8080 if os.geteuid() else 80)
diff --git a/web-security/cmdi-ls-pipe/server b/web-security/cmdi-ls-pipe/server
index cc59d51a..fe24db24 100755
--- a/web-security/cmdi-ls-pipe/server
+++ b/web-security/cmdi-ls-pipe/server
@@ -28,5 +28,6 @@ def challenge():
         """
 
 os.setuid(os.geteuid())
+os.environ["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 app.secret_key = os.urandom(8)
 app.run("challenge.localhost", 8080 if os.geteuid() else 80)
diff --git a/web-security/cmdi-ls-quote/server b/web-security/cmdi-ls-quote/server
index 39a8795b..b7df41e8 100755
--- a/web-security/cmdi-ls-quote/server
+++ b/web-security/cmdi-ls-quote/server
@@ -28,5 +28,6 @@ def challenge():
         """
 
 os.setuid(os.geteuid())
+os.environ["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 app.secret_key = os.urandom(8)
 app.run("challenge.localhost", 8080 if os.geteuid() else 80)
diff --git a/web-security/cmdi-ls-semicolon/server b/web-security/cmdi-ls-semicolon/server
index 5c6ef713..7867c951 100755
--- a/web-security/cmdi-ls-semicolon/server
+++ b/web-security/cmdi-ls-semicolon/server
@@ -28,5 +28,6 @@ def challenge():
         """
 
 os.setuid(os.geteuid())
+os.environ["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 app.secret_key = os.urandom(8)
 app.run("challenge.localhost", 8080 if os.geteuid() else 80)
diff --git a/web-security/cmdi-touch-blind/server b/web-security/cmdi-touch-blind/server
index efd466e3..61900385 100755
--- a/web-security/cmdi-touch-blind/server
+++ b/web-security/cmdi-touch-blind/server
@@ -27,5 +27,6 @@ def challenge():
         """
 
 os.setuid(os.geteuid())
+os.environ["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 app.secret_key = os.urandom(8)
 app.run("challenge.localhost", 8080 if os.geteuid() else 80)
diff --git a/web-security/level-2/server b/web-security/level-2/server
index 4990685a..389cc939 100755
--- a/web-security/level-2/server
+++ b/web-security/level-2/server
@@ -28,5 +28,6 @@ def challenge():
         """
 
 os.setuid(os.geteuid())
+os.environ["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 app.secret_key = os.urandom(8)
 app.run("challenge.localhost", 8080 if os.geteuid() else 80)