Fixed critical security bug in diskmg

disk.go

@@ -130,6 +130,20 @@ func DiskServiceInit() {
 				diskmg.HandleMount(w, r, fsHandlers)
 			})
 			adminRouter.HandleFunc("/system/disk/diskmg/format", func(w http.ResponseWriter, r *http.Request) {
+				//Check if request are made in POST mode
+				if r.Method != http.MethodPost {
+					w.WriteHeader(http.StatusMethodNotAllowed)
+					w.Write([]byte("405 - Method Not Allowed"))
+					return
+				}
+
+				//Check if ArozOS is running in sudo mode
+				if !sudo_mode {
+					w.WriteHeader(http.StatusUnauthorized)
+					w.Write([]byte("401 - Unauthorized (Is ArozOS running in sudo mode?)"))
+					return
+				}
+
 				//Format option require passing in all filesystem handlers
 				diskmg.HandleFormat(w, r, fsHandlers)
 			})

mod/disk/diskmg/diskmg.go

@@ -264,18 +264,23 @@ func HandleMount(w http.ResponseWriter, r *http.Request, fsHandlers []*fs.FileSy
 
 */
 func HandleFormat(w http.ResponseWriter, r *http.Request, fsHandlers []*fs.FileSystemHandler) {
-	dev, err := mv(r, "dev", false)
+	dev, err := mv(r, "dev", true)
 	if err != nil {
 		sendErrorResponse(w, "dev not defined")
 		return
 	}
 
-	format, err := mv(r, "format", false)
+	format, err := mv(r, "format", true)
 	if err != nil {
 		sendErrorResponse(w, "format not defined")
 		return
 	}
 
+	if runtime.GOOS == "windows" {
+		sendErrorResponse(w, "This function is Linux Only")
+		return
+	}
+
 	//Check if format is supported
 	if !inArray(supportedFormats, format) {
 		sendErrorResponse(w, "Format not supported")

web/SystemAO/disk/diskmg.html

@@ -323,13 +323,18 @@
                     $("#formatOptions").fadeOut('fast');
                     $(".functMenuDimmer").fadeOut('fast');
                     console.log(ao_root + "system/disk/diskmg/format?dev=" + targetDisk[0] + "&format=" + targetFormat);
-                    $.get(ao_root + "system/disk/diskmg/format?dev=" + targetDisk[0] + "&format=" + targetFormat,function(e){
-                        if (e.error !== undefined){
-                            alert(e.error );
+                    $.ajax({
+                        url: ao_root + "system/disk/diskmg/format",
+                        data: {"dev": targetDisk[0], "format": targetFormat},
+                        method: "POST",
+                        success: function(data){
+                            if (data.error !== undefined){
+                                alert(data.error);
+                            }
+                            initView();
+                            initPartitionTable();
+                            $("#loaderUI").hide();
                         }
-                        initView();
-                        initPartitionTable();
-                        $("#loaderUI").hide();
                     });
                 }else{
                     $("#loaderUI").hide();
@@ -435,7 +440,7 @@
             $(".partitionRepresentation").contextmenu(function(e){
                 if (mode == "windows"){
                     //Switch back to normal menu when under window mode
-                    //return true;
+                    return true;
                 }
                 var px = e.clientX;
                 var py = e.clientY;