Add escapeshellarg() calls on exec parameters. While I'm here, replace some exec() calls by php functions like symlink, copy, unlink, mkdir

8 files changed, 27 insertions, 27 deletions

diff --git a/usr/local/www/crash_reporter.php b/usr/local/www/crash_reporter.php
index d3146b8..853be0a 100755
--- a/usr/local/www/crash_reporter.php
+++ b/usr/local/www/crash_reporter.php
@@ -102,10 +102,10 @@ exec("/usr/bin/grep -vi warning /tmp/PHP_errors.log", $php_errors);
 	if (gettext($_POST['Submit']) == "Yes") {
 		echo gettext("Processing...");
 		if (!is_dir("/var/crash"))
-			mwexec("/bin/mkdir -p /var/crash");
+			mkdir("/var/crash", 0750, true);
 		@file_put_contents("/var/crash/crashreport_header.txt", $crash_report_header);
 		if(file_exists("/tmp/PHP_errors.log"))
-			exec("cp /tmp/PHP_errors.log /var/crash/");
+			copy("/tmp/PHP_errors.log", "/var/crash/");
 		exec("/usr/bin/gzip /var/crash/*");
 		$files_to_upload = glob("/var/crash/*");
 		echo "<p/>";
@@ -114,7 +114,7 @@ exec("/usr/bin/grep -vi warning /tmp/PHP_errors.log", $php_errors);
 		flush();
 		if(is_array($files_to_upload)) {
 			$resp = upload_crash_report($files_to_upload);
-			exec("rm /var/crash/*");
+			array_map('unlink', glob("/var/crash/*"));
 			// Erase the contents of the PHP error log
 			fclose(fopen("/tmp/PHP_errors.log", 'w'));
 			echo "<p/>";
@@ -124,7 +124,7 @@ exec("/usr/bin/grep -vi warning /tmp/PHP_errors.log", $php_errors);
 			echo "Could not find any crash files.";
 		}
 	} else if(gettext($_POST['Submit']) == "No") {
-		exec("rm /var/crash/*");
+		array_map('unlink', glob("rm /var/crash/*"));
 		// Erase the contents of the PHP error log
 		fclose(fopen("/tmp/PHP_errors.log", 'w'));
 		Header("Location: /");
diff --git a/usr/local/www/diag_arp.php b/usr/local/www/diag_arp.php
index c24ca62..19f74f0 100755
--- a/usr/local/www/diag_arp.php
+++ b/usr/local/www/diag_arp.php
@@ -249,7 +249,7 @@ function _getHostName($mac,$ip) {
 	else if ($dhcpip[$ip])
 		return $dhcpip[$ip];
 	else{
-		exec("host -W 1 $ip", $output);
+		exec("host -W 1 " . escapeshellarg($ip), $output);
 		if (preg_match('/.*pointer ([A-Za-z0-9.-]+)\..*/',$output[0],$matches)) {
 			if ($matches[1] <> $ip)
 				return $matches[1]; 
diff --git a/usr/local/www/diag_logs_vpn.php b/usr/local/www/diag_logs_vpn.php
index 7920306..715eb69 100755
--- a/usr/local/www/diag_logs_vpn.php
+++ b/usr/local/www/diag_logs_vpn.php
@@ -90,9 +90,9 @@ function dump_clog_vpn($logfile, $tail) {
 	$logarr = "";
 	
 	if(isset($config['system']['usefifolog'])) 
-		exec("/usr/sbin/fifolog_reader " . $logfile . " | tail {$sor} -n " . $tail, $logarr);
+		exec("/usr/sbin/fifolog_reader " . escapeshellarg($logfile) . " | tail {$sor} -n " . $tail, $logarr);
 	else 
-		exec("/usr/sbin/clog " . $logfile . " | tail {$sor} -n " . $tail, $logarr);
+		exec("/usr/sbin/clog " . escapeshellarg($logfile) . " | tail {$sor} -n " . $tail, $logarr);
 
 	foreach ($logarr as $logent) {
 		$logent = preg_split("/\s+/", $logent, 6);
@@ -191,4 +191,4 @@ include("head.inc");
 </table>
 <?php include("fend.inc"); ?>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/usr/local/www/diag_smart.php b/usr/local/www/diag_smart.php
index d7e8072..73f3405 100644
--- a/usr/local/www/diag_smart.php
+++ b/usr/local/www/diag_smart.php
@@ -85,7 +85,7 @@ function update_email($email)
 	if(!empty($email))
 	{
 		// Put it in the smartd.conf file
-		shell_exec("/usr/bin/sed -i old 's/^DEVICESCAN.*/DEVICESCAN -H -m " . $email . "/' /usr/local/etc/smartd.conf");
+		shell_exec("/usr/bin/sed -i old 's/^DEVICESCAN.*/DEVICESCAN -H -m " . escapeshellarg($email) . "/' /usr/local/etc/smartd.conf");
 	}
 	// Nope
 	else
@@ -98,7 +98,7 @@ function update_email($email)
 function smartmonctl($action)
 {
 	global $start_script;
-	shell_exec($start_script . $action);
+	shell_exec($start_script . escapeshellarg($action));
 }
 
 // What page, aka. action is being wanted
diff --git a/usr/local/www/firewall_aliases_edit.php b/usr/local/www/firewall_aliases_edit.php
index b2f3eb9..d92e145 100755
--- a/usr/local/www/firewall_aliases_edit.php
+++ b/usr/local/www/firewall_aliases_edit.php
@@ -73,7 +73,7 @@ if($_POST)
 
 // Debugging
 if($debug)
-	exec("rm -f {$g['tmp_path']}/alias_rename_log.txt");
+	unlink("{$g['tmp_path']}/alias_rename_log.txt");
 
 function alias_same_type($name, $type) {
 	global $config;
@@ -213,7 +213,7 @@ if ($_POST) {
 				$temp_filename = tempnam("{$g['tmp_path']}/", "alias_import");
 				unlink($temp_filename);
 				$verify_ssl = isset($config['system']['checkaliasesurlcert']);
-				mwexec("/bin/mkdir -p {$temp_filename}");
+				mkdir($temp_filename);
 				download_file($_POST['address' . $x], $temp_filename . "/aliases", $verify_ssl);
 
 				/* if the item is tar gzipped then extract */
@@ -270,7 +270,7 @@ if ($_POST) {
 						/* nothing was found */
 						$input_errors[] = sprintf(gettext("You must provide a valid URL. Could not fetch usable data from '%s'."), $_POST['address' . $x]);
 					}
-					mwexec("/bin/rm -rf {$temp_filename}");
+					mwexec("/bin/rm -rf " . escapeshellarg($temp_filename));
 				} else {
 					$input_errors[] = sprintf(gettext("URL '%s' is not valid."), $_POST['address' . $x]);
 				}
diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc
index 1997ac5..9348dd3 100755
--- a/usr/local/www/guiconfig.inc
+++ b/usr/local/www/guiconfig.inc
@@ -553,9 +553,9 @@ function clear_log_file($logfile = "/var/log/system.log", $restart_syslogd = tru
 	} else {
 		$log_size = isset($config['syslog']['logfilesize']) ? $config['syslog']['logfilesize'] : "511488";
 		if(isset($config['system']['usefifolog']))
-			exec("/usr/sbin/fifolog_create -s {$log_size} {$logfile}");
+			exec("/usr/sbin/fifolog_create -s {$log_size} " . escapeshellarg($logfile));
 		else
-			exec("/usr/sbin/clog -i -s {$log_size} {$logfile}");
+			exec("/usr/sbin/clog -i -s {$log_size} " . escapeshellarg($logfile));
 	}
 	if ($restart_syslogd)
 		system_syslogd_start();
@@ -583,20 +583,20 @@ function dump_clog($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert
 	$grepline = "  ";
 	if(is_array($grepfor))
 		foreach($grepfor as $agrep)
-			$grepline .= " | grep \"$agrep\"";
+			$grepline .= " | grep " . escapeshellarg($agrep);
 	if(is_array($grepinvert))
 		foreach($grepinvert as $agrep)
-			$grepline .= " | grep -v \"$agrep\"";
+			$grepline .= " | grep -v " . escapeshellarg($agrep);
 	if(file_exists($logfile) && filesize($logfile) == 0) {
 		$logarr = array("Log file started.");
 	} else {
 		if($config['system']['disablesyslogclog']) {
-			exec("cat {$logfile}{$grepline} | /usr/bin/tail {$sor} -n {$tail}", $logarr);
+			exec("cat " . escapeshellarg($logfile) . "{$grepline} | /usr/bin/tail {$sor} -n " . escapeshellarg($tail), $logarr);
 		} else {
 			if(isset($config['system']['usefifolog']))
-				exec("/usr/sbin/fifolog_reader {$logfile}{$grepline} | /usr/bin/tail {$sor} -n {$tail}", $logarr);
+				exec("/usr/sbin/fifolog_reader " . escapeshellarg($logfile) . "{$grepline} | /usr/bin/tail {$sor} -n " . escapeshellarg($tail), $logarr);
 			else
-				exec("/usr/sbin/clog {$logfile}{$grepline}| grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail {$sor} -n {$tail}", $logarr);
+				exec("/usr/sbin/clog " . escapeshellarg($logfile) . "{$grepline}| grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail {$sor} -n " . escapeshellarg($tail), $logarr);
 		}
 	}
 	foreach ($logarr as $logent) {
@@ -628,17 +628,17 @@ function return_clog($logfile, $tail, $withorig = true, $grepfor = "", $grepinve
 	$grepline = "  ";
 	if(is_array($grepfor))
 		foreach($grepfor as $agrep)
-			$grepline .= " | grep \"$agrep\"";
+			$grepline .= " | grep " . escapeshellarg($agrep);
 	if(is_array($grepinvert))
 		foreach($grepinvert as $agrep)
-			$grepline .= " | grep -v \"$agrep\"";
+			$grepline .= " | grep -v " . escapeshellarg($agrep);
 	if($config['system']['disablesyslogclog']) {
-		exec("cat {$logfile}{$grepline} | /usr/bin/tail {$sor} -n {$tail}", $logarr);
+		exec("cat " . escapeshellarg($logfile) . "{$grepline} | /usr/bin/tail {$sor} -n " . escapeshellarg($tail), $logarr);
 	} else {
 		if(isset($config['system']['usefifolog'])) {
-			exec("/usr/sbin/fifolog_reader {$logfile}{$grepline} | /usr/bin/tail {$sor} -n {$tail}", $logarr);
+			exec("/usr/sbin/fifolog_reader " . escapeshellarg($logfile) . "{$grepline} | /usr/bin/tail {$sor} -n " . escapeshellarg($tail), $logarr);
 		} else {
-			exec("/usr/sbin/clog {$logfile}{$grepline}| grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail {$sor} -n {$tail}", $logarr);
+			exec("/usr/sbin/clog " . escapeshellarg($logfile) . "{$grepline}| grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail {$sor} -n " . escapeshellarg($tail), $logarr);
 		}
 	}
 	return($logarr);
diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php
index bfea79d..8927d5b 100755
--- a/usr/local/www/interfaces.php
+++ b/usr/local/www/interfaces.php
@@ -1314,7 +1314,7 @@ function check_wireless_mode() {
 		if (!interface_wireless_clone("{$wlanif}_", $wancfg)) {
 			$input_errors[] = sprintf(gettext("Unable to change mode to %s.  You may already have the maximum number of wireless clones supported in this mode."), $wlan_modes[$wancfg['wireless']['mode']]);
 		} else {
-			mwexec("/sbin/ifconfig {$wlanif}_ destroy");
+			mwexec("/sbin/ifconfig " . escapeshellarg($wlanif) . "_ destroy");
 		}
 		$wancfg['wireless']['mode'] = $old_wireless_mode;
 	}
diff --git a/usr/local/www/services_wol.php b/usr/local/www/services_wol.php
index f60a792..6494a07 100755
--- a/usr/local/www/services_wol.php
+++ b/usr/local/www/services_wol.php
@@ -95,7 +95,7 @@ if ($_POST || $_GET['mac']) {
 		else {
 			$bcip = gen_subnet_max($ipaddr, get_interface_subnet($if));
 			/* Execute wol command and check return code. */
-			if(!mwexec("/usr/local/bin/wol -i {$bcip} {$mac}"))
+			if(!mwexec("/usr/local/bin/wol -i {$bcip} " . escapeshellarg($mac)))
 				$savemsg .= sprintf(gettext("Sent magic packet to %s."),$mac);
 			else
 				$savemsg .= sprintf(gettext('Please check the %1$ssystem log%2$s, the wol command for %3$s did not complete successfully%4$s'),'<a href="/diag_logs.php">', '</a>', $mac, ".<br>");