Add escapeshellarg() calls on exec parameters. While I'm here, replace some exec() calls by php functions like symlink, copy, unlink, mkdir

Conflicts:
	usr/local/www/diag_logs_vpn.php
	usr/local/www/firewall_aliases_edit.php
	usr/local/www/guiconfig.inc

1 files changed, 3 insertions, 3 deletions

diff --git a/usr/local/www/firewall_aliases_edit.php b/usr/local/www/firewall_aliases_edit.php
index 304cfd6..8813235 100755
--- a/usr/local/www/firewall_aliases_edit.php
+++ b/usr/local/www/firewall_aliases_edit.php
@@ -73,7 +73,7 @@ if($_POST)
 
 // Debugging
 if($debug)
-	exec("rm -f {$g['tmp_path']}/alias_rename_log.txt");
+	unlink("{$g['tmp_path']}/alias_rename_log.txt");
 
 function alias_same_type($name, $type) {
 	global $config;
@@ -205,7 +205,7 @@ if ($_POST) {
 				$temp_filename = tempnam("{$g['tmp_path']}/", "alias_import");
 				unlink($temp_filename);
 				mwexec("/bin/mkdir -p {$temp_filename}");
-				mwexec("/usr/bin/fetch -q -o \"{$temp_filename}/aliases\" \"" . $_POST['address' . $x] . "\"");
+				mwexec("/usr/bin/fetch -q -o \"{$temp_filename}/aliases\" " . escapeshellarg($_POST['address' . $x]));
 				/* if the item is tar gzipped then extract */
 				if(stristr($_POST['address' . $x], ".tgz"))
 					process_alias_tgz($temp_filename);
@@ -245,7 +245,7 @@ if ($_POST) {
 						/* nothing was found */
 						$input_errors[] = sprintf(gettext("You must provide a valid URL. Could not fetch usable data from '%s'."), $_POST['address' . $x]);
 					}
-					mwexec("/bin/rm -rf {$temp_filename}");
+					mwexec("/bin/rm -rf " . escapeshellarg($temp_filename));
 				} else {
 					$input_errors[] = sprintf(gettext("URL '%s' is not valid."), $_POST['address' . $x]);
 				}