|
24 | 24 | } |
25 | 25 |
|
26 | 26 | // List user |
27 | | -exec (VESTA_CMD."v-list-user ".$v_username." json", $output, $return_var); |
| 27 | +exec (VESTA_CMD."v-list-user ".escapeshellarg($v_username)." json", $output, $return_var); |
28 | 28 | check_return_code($return_var,$output); |
29 | 29 | $data = json_decode(implode('', $output), true); |
30 | 30 | unset($output); |
|
89 | 89 | $fp = fopen($v_password, "w"); |
90 | 90 | fwrite($fp, $_POST['v_password']."\n"); |
91 | 91 | fclose($fp); |
92 | | - exec (VESTA_CMD."v-change-user-password ".$v_username." ".$v_password, $output, $return_var); |
| 92 | + exec (VESTA_CMD."v-change-user-password ".escapeshellarg($v_username)." ".$v_password, $output, $return_var); |
93 | 93 | check_return_code($return_var,$output); |
94 | 94 | unset($output); |
95 | 95 | unlink($v_password); |
|
99 | 99 | // Change package (admin only) |
100 | 100 | if (($v_package != $_POST['v_package']) && ($_SESSION['user'] == 'admin') && (empty($_SESSION['error_msg']))) { |
101 | 101 | $v_package = escapeshellarg($_POST['v_package']); |
102 | | - exec (VESTA_CMD."v-change-user-package ".$v_username." ".$v_package, $output, $return_var); |
| 102 | + exec (VESTA_CMD."v-change-user-package ".escapeshellarg($v_username)." ".$v_package, $output, $return_var); |
103 | 103 | check_return_code($return_var,$output); |
104 | 104 | unset($output); |
105 | 105 | } |
106 | 106 |
|
107 | 107 | // Change language |
108 | 108 | if (($v_language != $_POST['v_language']) && (empty($_SESSION['error_msg']))) { |
109 | 109 | $v_language = escapeshellarg($_POST['v_language']); |
110 | | - exec (VESTA_CMD."v-change-user-language ".$v_username." ".$v_language, $output, $return_var); |
| 110 | + exec (VESTA_CMD."v-change-user-language ".escapeshellarg($v_username)." ".$v_language, $output, $return_var); |
111 | 111 | check_return_code($return_var,$output); |
112 | 112 | if (empty($_SESSION['error_msg'])) { |
113 | 113 | if ((empty($_GET['user'])) || ($_GET['user'] == $_SESSION['user'])) $_SESSION['language'] = $_POST['v_language']; |
|
118 | 118 | // Change shell (admin only) |
119 | 119 | if (($v_shell != $_POST['v_shell']) && ($_SESSION['user'] == 'admin') && (empty($_SESSION['error_msg']))) { |
120 | 120 | $v_shell = escapeshellarg($_POST['v_shell']); |
121 | | - exec (VESTA_CMD."v-change-user-shell ".$v_username." ".$v_shell, $output, $return_var); |
| 121 | + exec (VESTA_CMD."v-change-user-shell ".escapeshellarg($v_username)." ".$v_shell, $output, $return_var); |
122 | 122 | check_return_code($return_var,$output); |
123 | 123 | unset($output); |
124 | 124 | } |
|
129 | 129 | $_SESSION['error_msg'] = __('Please enter valid email address.'); |
130 | 130 | } else { |
131 | 131 | $v_email = escapeshellarg($_POST['v_email']); |
132 | | - exec (VESTA_CMD."v-change-user-contact ".$v_username." ".$v_email, $output, $return_var); |
| 132 | + exec (VESTA_CMD."v-change-user-contact ".escapeshellarg($v_username)." ".$v_email, $output, $return_var); |
133 | 133 | check_return_code($return_var,$output); |
134 | 134 | unset($output); |
135 | 135 | } |
|
139 | 139 | if (($v_fname != $_POST['v_fname']) || ($v_lname != $_POST['v_lname']) && (empty($_SESSION['error_msg']))) { |
140 | 140 | $v_fname = escapeshellarg($_POST['v_fname']); |
141 | 141 | $v_lname = escapeshellarg($_POST['v_lname']); |
142 | | - exec (VESTA_CMD."v-change-user-name ".$v_username." ".$v_fname." ".$v_lname, $output, $return_var); |
| 142 | + exec (VESTA_CMD."v-change-user-name ".escapeshellarg($v_username)." ".$v_fname." ".$v_lname, $output, $return_var); |
143 | 143 | check_return_code($return_var,$output); |
144 | 144 | unset($output); |
145 | 145 | $v_fname = $_POST['v_fname']; |
|
157 | 157 | $v_ns6 = escapeshellarg($_POST['v_ns6']); |
158 | 158 | $v_ns7 = escapeshellarg($_POST['v_ns7']); |
159 | 159 | $v_ns8 = escapeshellarg($_POST['v_ns8']); |
160 | | - $ns_cmd = VESTA_CMD."v-change-user-ns ".$v_username." ".$v_ns1." ".$v_ns2; |
| 160 | + $ns_cmd = VESTA_CMD."v-change-user-ns ".escapeshellarg($v_username)." ".$v_ns1." ".$v_ns2; |
161 | 161 | if (!empty($_POST['v_ns3'])) $ns_cmd = $ns_cmd." ".$v_ns3; |
162 | 162 | if (!empty($_POST['v_ns4'])) $ns_cmd = $ns_cmd." ".$v_ns4; |
163 | 163 | if (!empty($_POST['v_ns5'])) $ns_cmd = $ns_cmd." ".$v_ns5; |
|
0 commit comments