update.php fixes

[elibosley]

Restrict update.php #file writes to the expected configuration roots (/boot/config, /etc/wireguard) so a write cannot land outside config storage via an absolute path or ...

• Resolve the target with realpath() (collapsing ../symlinks) and range-check it with a shared in_safe_path() helper.
• Promote in_safe_path() into Wrappers.php so update.php and FileUpload.php share one implementation (drops the duplicate copy in FileUpload.php).
• Add a regression test that drives the real update.php and asserts out-of-root targets are refused while legitimate /boot/config writes still succeed.

Relative #file paths are unaffected (still placed under /boot/config/plugins/).

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 7ff3a280-f08f-477c-87f4-927ca20d4f05

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch update-php-file-fixes-7.2

---

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

🔧 PR Test Plugin Available

A test plugin has been generated for this PR that includes the modified files.

Version: 2026.06.29.2026
Build: View Workflow Run

📥 Installation Instructions:

Install via Unraid Web UI:

1. Go to Plugins → Install Plugin
2. Copy and paste this URL:

https://preview.dl.unraid.net/pr-plugins/pr-2685/webgui-pr-2685.plg

3. Click Install

Alternative: Direct Download

• 📦 Download PLG
• 📦 Download TXZ

⚠️ Important Notes:

• Testing only: This plugin is for testing PR changes
• Backup included: Original files are automatically backed up
• Easy removal: Files are restored when plugin is removed
• Conflicts: Remove this plugin before installing production updates
• Post-merge behavior: This preview stays available after merge until preview storage expires or it is manually cleaned up

📝 Modified Files:

Click to expand file list

emhttp/update.php

🔄 To Remove:

Navigate to Plugins → Installed Plugins and remove webgui-pr-2685, or run:

plugin remove webgui-pr-2685

---

_{🤖 This comment is automatically generated and will be updated with each new push to this PR.}

[elibosley]

Verifying this change (not committed)

One-line hardening of update.php's #command handler: the realpath-resolved command must stay inside the document root before it runs, so a ../-escape can't execute a binary outside the webgui.

Offline check from the repo root — should print blocked:

php -d short_open_tag=On -r '
  error_reporting(0);
  $_SERVER["DOCUMENT_ROOT"] = getcwd()."/emhttp";
  $_POST = ["#command" => "../../../../../../bin/echo", "#arg" => ["PWNED"]];
  chdir("emhttp"); include "update.php";
' | grep -q PWNED && echo "NOT contained" || echo "blocked"

On a running server: an authenticated POST with #command=../../../../../../bin/touch + #arg[]=/tmp/x must not create /tmp/x, and syslog logs Invalid #command: .... Legit #command scripts under /webGui/scripts and /plugins/*/scripts still run.