patch CVE-2020-13619 (#426)

* patch CVE-2020-13619 fixes #420 * formatting missing a space if nothing else * add bufix sample & credits * update example 2 * forgot escapeshellarg() in example2
locutusjs · Oct 2, 2020 · a05e9e7 · a05e9e7
1 parent dd073d6
commit a05e9e7
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/src/php/exec/escapeshellarg.js b/src/php/exec/escapeshellarg.js
@@ -2,14 +2,15 @@ module.exports = function escapeshellarg (arg) {
   //  discuss at: https://locutus.io/php/escapeshellarg/
   // original by: Felix Geisendoerfer (https://www.debuggable.com/felix)
   // improved by: Brett Zamir (https://brett-zamir.me)
+  // bugfixed by: divinity76 (https://github.com/divinity76)
   //   example 1: escapeshellarg("kevin's birthday")
-  //   returns 1: "'kevin\\'s birthday'"
+  //   returns 1: "'Kevin'\''s birthday'"
+  //   example 2: escapeshellarg("/home'; whoami;''")
+  //   returns 2: "'/home'\''; whoami;'\'''\'''"
 
   var ret = ''
 
-  ret = arg.replace(/[^\\]'/g, function (m, i, s) {
-    return m.slice(0, 1) + '\\\''
-  })
+  ret = arg.replace(/\'/g, '\'\\\'\'')
 
   return "'" + ret + "'"
 }