diff options
author | jim-p <jimp@pfsense.org> | 2010-11-10 17:22:37 -0500 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2010-11-10 17:22:37 -0500 |
commit | 29f76490d8db635646472f9e38f8402f31bb0e33 (patch) | |
tree | 9046436a4608a34f23df5da4d609499666dc4771 /usr/local/www/diag_dump_states.php | |
parent | dd18038e5032e8a68a8af9bece9a828768615248 (diff) | |
download | pfsense-29f76490d8db635646472f9e38f8402f31bb0e33.zip pfsense-29f76490d8db635646472f9e38f8402f31bb0e33.tar.gz |
Only use escapeshellarg when passing the arguments to the shell. Fixes #1005
Diffstat (limited to 'usr/local/www/diag_dump_states.php')
-rwxr-xr-x | usr/local/www/diag_dump_states.php | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/usr/local/www/diag_dump_states.php b/usr/local/www/diag_dump_states.php index 69d8dfd..a8671c1 100755 --- a/usr/local/www/diag_dump_states.php +++ b/usr/local/www/diag_dump_states.php @@ -44,11 +44,9 @@ require_once("guiconfig.inc"); /* handle AJAX operations */ if($_GET['action']) { if($_GET['action'] == "remove") { - $srcip = escapeshellarg($_GET['srcip']); - $dstip = escapeshellarg($_GET['dstip']); - if (is_ipaddr($srcip) and is_ipaddr($dstip)) { - $retval = mwexec("/sbin/pfctl -k '{$srcip}' -k '{$dstip}'"); - echo htmlentities("|{$srcip}|{$dstip}|{$retval}|"); + if (is_ipaddr($_GET['srcip']) and is_ipaddr($_GET['dstip'])) { + $retval = mwexec("/sbin/pfctl -k " . escapeshellarg($_GET['srcip']) . " -k " . escapeshellarg($_GET['dstip'])); + echo htmlentities("|{$_GET['srcip']}|{$_GET['dstip']}|{$retval}|"); } else { echo gettext("invalid input"); } |