[4.7.12] — 2026-07-01
Security
- SQL injection in
cipi dbcommands —_db_delete,_db_backup,_db_restore, and_db_password(lib/db.sh) interpolated the<name>argument (and, for delete/password, the storeduserfield) directly intomariadb -estatements without validation, unlike_db_createwhich already validatedname. A crafted database name (e.g. containing a quote or backtick) could break out of the SQL string/identifier context and execute arbitrary statements as the MariaDB root user;_db_create --user=was also unvalidated, allowing the same injection at creation time. Addedvalidate_db_name()(lib/common.sh) and applied it toname/userin every_db_*function, including the vault-storeduserfallback used by delete/password. - PHP code injection via
cipi app create --repository=/--branch=andcipi app edit— these values were substituted unsanitized into the single-quoted PHP string literalsset('repository', '...')/set('branch', '...')when generating each app'sdeploy.php(lib/app.sh,lib/deployer/{laravel,custom}.php); the existingsedescaping only handled sed metacharacters, not the PHP string delimiter. A crafted branch/repository value (e.g.x'); system('...'); //) could break out of the string literal and inject arbitrary PHP — executed as the app's Linux user on every deploy (manual, cron, or webhook-triggered), reachable even via a REST API token scoped only toapps-edit. Addedvalidate_git_branch()andvalidate_git_repository()(lib/common.sh, restricted charset) and enforced them inapp_createandapp_editbefore the values are written anywhere.
No migration required — both fixes are input-validation only and take effect immediately after cipi self-update; no existing app/database configuration needs to be regenerated.