escape stty cmd before executing it (#54)

* escape stty cmd before executing it
aldas · Apr 12, 2020 · 0930a98 · 0930a98
1 parent 125850b
commit 0930a98
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,8 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## [2.0.1] - 2020-04-12
 
+### Security
+
+* Escape stty command for SerialStreamCreator to avoid unescaped arguments (#54)
 
 ## [2.0.0] - 2020-04-07
 

diff --git a/src/Network/SerialStreamCreator.php b/src/Network/SerialStreamCreator.php
@@ -55,7 +55,8 @@ public function createStream(BinaryStreamConnection $conn)
         $device = $conn->getUri();
 
         $sttyModes = implode(' ', $this->sttyModes);
-        $sttyResult = exec("stty -F ${device} ${sttyModes}");
+        $cmd = escapeshellcmd("stty -F ${device} ${sttyModes}");
+        $sttyResult = exec($cmd);
         if ($sttyResult === false) {
             throw new IOException('stty failed to configure device');
         }