Snoopy: use escapeshellarg instead of escapeshellcmd

We are escaping arguments, not commands, so we'd better use the semantically correct function, even though they are similar. Merges [37094] to the 3.8 branch. Built from https://develop.svn.wordpress.org/branches/3.8@37101 git-svn-id: http://core.svn.wordpress.org/branches/3.8@37068 1a063a9b-81f0-0310-95a4-ce76da25c4cd
WordPress · Mar 30, 2016 · 33c5497 · 33c5497
1 parent 51f81f7
commit 33c5497
Showing 1 changed file with 12 additions and 9 deletions.
diff --git a/wp-includes/class-snoopy.php b/wp-includes/class-snoopy.php
@@ -999,20 +999,23 @@ function _httpsrequest($url,$URI,$http_method,$content_type="",$body="")
 		if(!empty($this->user) || !empty($this->pass))
 			$headers[] = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass);
 
-		for($curr_header = 0; $curr_header < count($headers); $curr_header++) {
-			$safer_header = strtr( $headers[$curr_header], "\"", " " );
-			$cmdline_params .= " -H \"".$safer_header."\"";
+		$headerfile = tempnam( $this->temp_dir, "sno" );
+		$cmdline_params = '-k -D ' . escapeshellarg( $headerfile );
+
+		foreach ( $headers as $header ) {
+			$cmdline_params .= ' -H ' . escapeshellarg( $header );
 		}
 
-		if(!empty($body))
-			$cmdline_params .= " -d \"$body\"";
+		if ( ! empty( $body ) ) {
+			$cmdline_params .= ' -d ' . escapeshellarg( $body );
+		}
 
-		if($this->read_timeout > 0)
-			$cmdline_params .= " -m ".$this->read_timeout;
+		if ( $this->read_timeout > 0 ) {
+			$cmdline_params .= ' -m ' . escapeshellarg( $this->read_timeout );
+		}
 
-		$headerfile = tempnam($this->temp_dir, "sno");
 
-		exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return);
+		exec( $this->curl_path . ' ' . $cmdline_params . ' ' . escapeshellarg( $URI ), $results, $return );
 
 		if($return)
 		{