Add escapeshellarg() calls on exec parameters. While I'm here, replace some exec() calls by php functions like symlink, copy, unlink, mkdir

1 files changed, 4 insertions, 4 deletions

diff --git a/etc/inc/filter_log.inc b/etc/inc/filter_log.inc
index 71e5495..c83c1e7 100644
--- a/etc/inc/filter_log.inc
+++ b/etc/inc/filter_log.inc
@@ -55,9 +55,9 @@ function conv_log_filter($logfile, $nentries, $tail = 50, $filtertext = "", $fil
 	$logarr = "";
 
 	if(isset($config['system']['usefifolog']))
-		exec("/usr/sbin/fifolog_reader {$logfile} | /usr/bin/tail -r -n {$tail}", $logarr);
+		exec("/usr/sbin/fifolog_reader " . escapeshellarg($logfile) . " | /usr/bin/tail -r -n {$tail}", $logarr);
 	else
-		exec("/usr/sbin/clog {$logfile} | grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail -r -n {$tail}", $logarr);
+		exec("/usr/sbin/clog " . escapeshellarg($logfile) . " | grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail -r -n {$tail}", $logarr);
 
 	$filterlog = array();
 	$counter = 0;
@@ -268,9 +268,9 @@ function find_rule_by_number($rulenum, $type="rules") {
 		$_gb = exec("/sbin/pfctl -vvPsn -a \"miniupnpd\" | grep '^@'", $buffer);
 	else {
 		if (file_exists("{$g['tmp_path']}/rules.debug"))
-			$_gb = exec("/sbin/pfctl -vvPnf {$g['tmp_path']}/rules.debug 2>/dev/null | /usr/bin/egrep '^@{$rulenum} {$type}'", $buffer);
+			$_gb = exec("/sbin/pfctl -vvPnf {$g['tmp_path']}/rules.debug 2>/dev/null | /usr/bin/egrep '^@" . escapeshellarg($rulenum) . " " .  escapeshellarg($type) . "'", $buffer);
 		else
-			$_gb = exec("/sbin/pfctl -vvPsr | grep '^@{$rulenum}'", $buffer);
+			$_gb = exec("/sbin/pfctl -vvPsr | grep '^@" . escapeshellarg($rulenum) . "'", $buffer);
 	}
 	if (is_array($buffer))
 		return $buffer[0];