Skip to content

Commit

Permalink
Escape GraphViz command before calling proc_open()
Browse files Browse the repository at this point in the history 
Fixes #26162, CVE-2019-15715

(cherry picked from commit 5fb9796)
  • Loading branch information
@dregad
dregad committed Sep 21, 2019
1 parent 7092573 commit cebfb9a
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion core/graphviz_api.php
View file
Expand Up @@ -352,7 +352,7 @@ function output( $p_format = 'dot', $p_headers = false ) {

# Start dot process

$t_command = $this->graphviz_tool . ' -T' . $p_format;
$t_command = escapeshellcmd( $this->graphviz_tool . ' -T' . $p_format );
$t_descriptors = array(
0 => array( 'pipe', 'r', ),
1 => array( 'pipe', 'w', ),
Expand Down

0 comments on commit cebfb9a

Please sign in to comment.