Helpers::getSource() improved escaping of cmdline arguments

nette · Mar 13, 2019 · 88ee594 · 88ee594
1 parent e935bdf
commit 88ee594
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/src/Tracy/Helpers.php b/src/Tracy/Helpers.php
@@ -166,7 +166,7 @@ public static function getSource(): string
 				. $_SERVER['REQUEST_URI'];
 		} else {
 			return 'CLI (PID: ' . getmypid() . ')'
-				. (empty($_SERVER['argv']) ? '' : ': ' . implode(' ', $_SERVER['argv']));
+				. ': ' . implode(' ', array_map([self::class, 'escapeArg'], $_SERVER['argv']));
 		}
 	}
 
@@ -302,4 +302,19 @@ public static function getNonce(): ?string
 			? $m[1]
 			: null;
 	}
+
+
+	/**
+	 * Escape a string to be used as a shell argument.
+	 */
+	private static function escapeArg(string $s): string
+	{
+		if (preg_match('#^[a-z0-9._=/:-]+\z#i', $s)) {
+			return $s;
+		}
+
+		return defined('PHP_WINDOWS_VERSION_BUILD')
+			? '"' . str_replace('"', '""', $s) . '"'
+			: escapeshellarg($s);
+	}
 }