- replaces escapeshellcmd by escapeshellarg (Fixes #3456)

Marius Burkard · Marius Burkard · commit 676dd14daa24 · 2016-02-19T13:08:48.000+01:00
diff --git a/server/plugins-available/backup_plugin.inc.php b/server/plugins-available/backup_plugin.inc.php
@@ -127,7 +127,7 @@ public function backup_action($action_name, $data) {
 						//$db_name = $parts[1];
 						preg_match('@^db_(.+)_\d{4}-\d{2}-\d{2}_\d{2}-\d{2}\.sql\.gz$@', $backup['filename'], $matches);
 						$db_name = $matches[1];
-						$command = "gunzip --stdout ".escapeshellarg($backup_dir.'/'.$backup['filename'])." | mysql -h '".escapeshellcmd($clientdb_host)."' -u '".escapeshellcmd($clientdb_user)."' -p'".escapeshellcmd($clientdb_password)."' '".$db_name."'";
+						$command = "gunzip --stdout ".escapeshellarg($backup_dir.'/'.$backup['filename'])." | mysql -h '".escapeshellarg($clientdb_host)."' -u '".escapeshellarg($clientdb_user)."' -p'".escapeshellarg($clientdb_password)."' '".$db_name."'";
 						exec($command);
 					}
 					unset($clientdb_host);

Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,7 @@ public function backup_action($action_name, $data) {`
`127`	`127`	`//$db_name = $parts[1];`
`128`	`128`	`preg_match('@^db_(.+)_\d{4}-\d{2}-\d{2}_\d{2}-\d{2}\.sql\.gz$@', $backup['filename'], $matches);`
`129`	`129`	`$db_name = $matches[1];`
`130`		`- $command = "gunzip --stdout ".escapeshellarg($backup_dir.'/'.$backup['filename'])." \| mysql -h '".escapeshellcmd($clientdb_host)."' -u '".escapeshellcmd($clientdb_user)."' -p'".escapeshellcmd($clientdb_password)."' '".$db_name."'";`
	`130`	`+ $command = "gunzip --stdout ".escapeshellarg($backup_dir.'/'.$backup['filename'])." \| mysql -h '".escapeshellarg($clientdb_host)."' -u '".escapeshellarg($clientdb_user)."' -p'".escapeshellarg($clientdb_password)."' '".$db_name."'";`
`131`	`131`	`exec($command);`
`132`	`132`	`}`
`133`	`133`	`unset($clientdb_host);`