Merge pull request hestiacp#535 from SysVoid/patch-7

serghey-rodin · serghey-rodin · commit 332ef2797e37 · 2015-12-11T22:44:55.000+02:00
[HIGH PRIORITY] Forgot to escape command arguments
diff --git a/web/api/index.php b/web/api/index.php
@@ -42,7 +42,7 @@
         $i++;
         if (!empty($_POST['arg' . $i]))
         {
-            $args[] = $_POST['arg' . $i];
+            $args[] = escapeshellarg($_POST['arg' . $i]);
             continue;
         }
         break;

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@`
`42`	`42`	`$i++;`
`43`	`43`	`if (!empty($_POST['arg' . $i]))`
`44`	`44`	`{`
`45`		`- $args[] = $_POST['arg' . $i];`
	`45`	`+ $args[] = escapeshellarg($_POST['arg' . $i]);`
`46`	`46`	`continue;`
`47`	`47`	`}`
`48`	`48`	`break;`