Escape shell arguments for server and hiddeninput.exe (#282)

* Escape shell arguments fixes #281 * Replace space with tab
mako-framework · Oct 22, 2020 · c8ae45f · c8ae45f
1 parent 4a885b9
commit c8ae45f
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/src/mako/application/cli/commands/server/Server.php b/src/mako/application/cli/commands/server/Server.php
@@ -114,6 +114,11 @@ public function execute(Application $application, int $port = 8000, string $addr
 
 		// Start the server
 
-		passthru(PHP_BINDIR . "/php -S {$address}:{$availablePort} -t {$docroot} " . __DIR__ . '/router.php');
+		passthru(
+			escapeshellcmd(PHP_BINDIR . '/php') .
+			" -S " . escapeshellarg("{$address}:{$availablePort}") .
+			" -t " . escapeshellarg($docroot) .
+			' ' . escapeshellarg(__DIR__ . "/router.php")
+		);
 	}
 }
diff --git a/src/mako/cli/input/helpers/Secret.php b/src/mako/cli/input/helpers/Secret.php
@@ -60,7 +60,11 @@ public function ask(string $question, $default = null, bool $fallback = false)
 
 			if(DIRECTORY_SEPARATOR === '\\')
 			{
-				$answer = trim(shell_exec(__DIR__ . '/resources/hiddeninput.exe'));
+				$answer = trim(
+					shell_exec(
+						escapeshellcmd(__DIR__ . '/resources/hiddeninput.exe')
+					)
+				);
 			}
 			else
 			{