Skip to content

Commit

Permalink
Adding escapeshellarg on few more places in php code
Browse files Browse the repository at this point in the history
  • Loading branch information
@dpeca
dpeca committed Jun 23, 2020
1 parent b6cadcd commit c377e19
Show file tree
Hide file tree
Showing 4 changed files with 6 additions and 6 deletions.
2 changes: 1 addition & 1 deletion web/edit/server/index.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -356,7 +356,7 @@
// Change remote backup host type
if (empty($_SESSION['error_msg'])) {
if ((!empty($_POST['v_backup_host'])) && ($_POST['v_backup_type'] != $v_backup_type)) {
exec (VESTA_CMD."v-delete-backup-host ". $v_backup_type, $output, $return_var);
exec (VESTA_CMD."v-delete-backup-host " . escapeshellarg($v_backup_type), $output, $return_var);
unset($output);

$v_backup_host = escapeshellarg($_POST['v_backup_host']);
Expand Down
2 changes: 1 addition & 1 deletion web/list/directory/index.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
}

if (empty($panel)) {
$command = VESTA_CMD."v-list-user '".$user."' 'json'";
$command = VESTA_CMD."v-list-user ".escapeshellarg($user)." 'json'";
exec ($command, $output, $return_var);
if ( $return_var > 0 ) {
header("Location: /error/");
Expand Down
4 changes: 2 additions & 2 deletions web/list/dns/index.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,14 @@

// Data & Render page
if (empty($_GET['domain'])){
exec (VESTA_CMD."v-list-dns-domains $user json", $output, $return_var);
exec (VESTA_CMD."v-list-dns-domains ".escapeshellarg($user)." json", $output, $return_var);
$data = json_decode(implode('', $output), true);
$data = array_reverse($data, true);
unset($output);

render_page($user, $TAB, 'list_dns');
} else {
exec (VESTA_CMD."v-list-dns-records ".$user." ".escapeshellarg($_GET['domain'])." json", $output, $return_var);
exec (VESTA_CMD."v-list-dns-records ".escapeshellarg($user)." ".escapeshellarg($_GET['domain'])." json", $output, $return_var);
$data = json_decode(implode('', $output), true);
$data = array_reverse($data, true);
unset($output);
Expand Down
4 changes: 2 additions & 2 deletions web/list/mail/index.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,14 @@

// Data & Render page
if (empty($_GET['domain'])){
exec (VESTA_CMD."v-list-mail-domains $user json", $output, $return_var);
exec (VESTA_CMD."v-list-mail-domains ".escapeshellarg($user)." json", $output, $return_var);
$data = json_decode(implode('', $output), true);
$data = array_reverse($data, true);
unset($output);

render_page($user, $TAB, 'list_mail');
} else {
exec (VESTA_CMD."v-list-mail-accounts ".$user." ".escapeshellarg($_GET['domain'])." json", $output, $return_var);
exec (VESTA_CMD."v-list-mail-accounts ".escapeshellarg($user)." ".escapeshellarg($_GET['domain'])." json", $output, $return_var);
$data = json_decode(implode('', $output), true);
$data = array_reverse($data, true);
unset($output);
Expand Down

1 comment on commit c377e19

@dpeca
Copy link
Collaborator Author

@dpeca dpeca commented on c377e19 Jun 23, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Credits to Talha Günay and @Lupul for finding these places

Please sign in to comment.