From 947a06ec25c810d8fd8eddfb3344e935ecde675b Mon Sep 17 00:00:00 2001
From: Nadav <nadav@shesek.info>
Date: Sun, 23 Oct 2011 17:05:06 +0300
Subject: [PATCH] Use `escapeshellarg()` on the query string passed to
 `shell_exec()`, to make sure its treated safely as a single argument.

---
 web/show.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/show.php b/web/show.php
index e0a8243..c049d9e 100644
--- a/web/show.php
+++ b/web/show.php
@@ -29,7 +29,7 @@
 echo "\n<p>".str_replace("\n\n","</p>\n\n<p>",$ticket[1])."</p>\n";
 
 // XXX support threaded comments
-$comments = explode("\n",shell_exec("cd '".REPOSITORY_PATH."/.tickets'; git ticket list comments '".basename($_SERVER['QUERY_STRING'])."'"));
+$comments = explode("\n",shell_exec("cd '".REPOSITORY_PATH."/.tickets'; git ticket list comments '".escapeshellarg(basename($_SERVER['QUERY_STRING']))."'"));
 if(count($comments)) {
 	echo "\n<ul>\n";
 	foreach($comments as $comment) {