From 52258a3ede8e88d6c10173dff4899164342db0bf Mon Sep 17 00:00:00 2001
From: "DESKTOP-4798CH4\\palonE" <p410n3@gmail.com>
Date: Thu, 29 Mar 2018 00:33:16 +0100
Subject: [PATCH] Fixed security issue

---
 ydl.php | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/ydl.php b/ydl.php
index eeb51e9..b20dab2 100644
--- a/ydl.php
+++ b/ydl.php
@@ -32,7 +32,6 @@
         closedir($handle);
     }
 
-
     //Make an folder with md5(date()) to download the stuff there
     $md5_date = md5(date("Y-m-d H:i:s"));
     mkdir($md5_date);
@@ -55,11 +54,25 @@
     }
 
     //Prepare the command
-    $cmd = "youtube-dl " . escapeshellarg($_POST['url']) . " " . $fileFormat . " " .  $additionalParams . " " .$expertOptions;    //fileFormat does not need to be escaped, its no user input
-    //Inconsistent across PHP versions // webserver, switching to exec until I find a fix
-    //liveExec($cmd);
+    try {
+        $cmd = "youtube-dl" . " " .
+            escapeshellcmd ($_POST['url']) . " " .
+            $fileFormat . " " .
+            $additionalParams . " " .
+            escapeshellcmd ($expertOptions);
+
+        exec($cmd);
+
+    } catch (Exception $e) {
+        $cmd = "youtube-dl" . " " .
+            escapeshellcmd ($_POST['url']) . " " .
+            $fileFormat . " " .
+            $additionalParams;
+
+        exec($cmd);
+    }
 
-    exec($cmd);
+    //liveExec($cmd); //Inconsistent across PHP versions / webserver, switching to exec until I find a fix
 
     //writes the log
     $logFileName = "log.php";