diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-02-04 12:33:29 -0200 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-02-04 12:47:20 -0200 |
commit | 1eb03024fe15fcd8cdd20f32a9ba7c7f1fb75821 (patch) | |
tree | 6c5186c0184447c633776c795c3f10553e3c3876 /usr/local/www/firewall_aliases_edit.php | |
parent | 46b12609e51b9b3113abc9c22a1b0ad5a2b37d11 (diff) | |
download | pfsense-1eb03024fe15fcd8cdd20f32a9ba7c7f1fb75821.zip pfsense-1eb03024fe15fcd8cdd20f32a9ba7c7f1fb75821.tar.gz |
Add escapeshellarg() calls on exec parameters. While I'm here, replace some exec() calls by php functions like symlink, copy, unlink, mkdir
Conflicts:
usr/local/www/diag_logs_vpn.php
usr/local/www/firewall_aliases_edit.php
usr/local/www/guiconfig.inc
Diffstat (limited to 'usr/local/www/firewall_aliases_edit.php')
-rwxr-xr-x | usr/local/www/firewall_aliases_edit.php | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/usr/local/www/firewall_aliases_edit.php b/usr/local/www/firewall_aliases_edit.php index 304cfd6..8813235 100755 --- a/usr/local/www/firewall_aliases_edit.php +++ b/usr/local/www/firewall_aliases_edit.php @@ -73,7 +73,7 @@ if($_POST) // Debugging if($debug) - exec("rm -f {$g['tmp_path']}/alias_rename_log.txt"); + unlink("{$g['tmp_path']}/alias_rename_log.txt"); function alias_same_type($name, $type) { global $config; @@ -205,7 +205,7 @@ if ($_POST) { $temp_filename = tempnam("{$g['tmp_path']}/", "alias_import"); unlink($temp_filename); mwexec("/bin/mkdir -p {$temp_filename}"); - mwexec("/usr/bin/fetch -q -o \"{$temp_filename}/aliases\" \"" . $_POST['address' . $x] . "\""); + mwexec("/usr/bin/fetch -q -o \"{$temp_filename}/aliases\" " . escapeshellarg($_POST['address' . $x])); /* if the item is tar gzipped then extract */ if(stristr($_POST['address' . $x], ".tgz")) process_alias_tgz($temp_filename); @@ -245,7 +245,7 @@ if ($_POST) { /* nothing was found */ $input_errors[] = sprintf(gettext("You must provide a valid URL. Could not fetch usable data from '%s'."), $_POST['address' . $x]); } - mwexec("/bin/rm -rf {$temp_filename}"); + mwexec("/bin/rm -rf " . escapeshellarg($temp_filename)); } else { $input_errors[] = sprintf(gettext("URL '%s' is not valid."), $_POST['address' . $x]); } |