Add missing escapeshellarg() in account creation

2019-04-23 18:16:07 +02:00 · 2019-04-23 18:16:07 +02:00 · d63150c4ce
parent 7b5868db38
commit d63150c4ce
1 changed files with 18 additions and 18 deletions
--- a/inc/accounts.php
+++ b/inc/accounts.php
@ -39,17 +39,17 @@ function web_add($form, $admin_mail) {

    if(!$form->getField('password_random')->getValue()) {
        $exec_cmd .= sprintf(' -p %s',
-                             $form->getField('password')->getValue());
+                             escapeshellarg($form->getField('password')->getValue()));
    }

    /* Ajout des options spécifiques à MySQL si nécessaire */
    if($form->getField('mysql_db')->getValue()) {
        $exec_cmd .= sprintf(' -m %s',
-                             $form->getField('mysql_dbname')->getValue());
+                             escapeshellarg($form->getField('mysql_dbname')->getValue()));

        if(!$form->getField('mysql_password_random')->getValue()) {
            $exec_cmd .= sprintf(' -P %s',
-                                $form->getField('mysql_password')->getValue());
+                                escapeshellarg($form->getField('mysql_password')->getValue()));
        }
    }

@ -58,12 +58,12 @@ function web_add($form, $admin_mail) {
    }

    if ($conf['quota']) {
-        $exec_cmd .= sprintf(' -q %s:%s', $form->getField('quota_soft')->getValue(), $form->getField('quota_hard')->getValue());
+        $exec_cmd .= sprintf(' -q %s:%s', escapeshellarg($form->getField('quota_soft')->getValue()), escapeshellarg($form->getField('quota_hard')->getValue()));
    }

    $exec_cmd .= sprintf(' -l %s %s %s 2>&1', $admin_mail,
-        $form->getField('username')->getValue(), 
-        $form->getField('domain')->getValue());
+        escapeshellarg($form->getField('username')->getValue()),
+        escapeshellarg($form->getField('domain')->getValue()));

    //domain_add($form, $_SERVER['SERVER_ADDR'], true);
    sudoexec($exec_cmd, $exec_output, $exec_return);
@ -72,7 +72,7 @@ function web_add($form, $admin_mail) {
    if ( $form->getField('domain_alias')->getValue() ) {
        $domain_alias = preg_split('/,/', $form->getField('domain_alias')->getValue());
        foreach ( $domain_alias as $domain ) {
-            $exec_cmd = 'web-add.sh add-alias '.$form->getField('username')->getValue().' ';
+            $exec_cmd = 'web-add.sh add-alias '.escapeshellarg($form->getField('username')->getValue()).' ';
            $domain = trim($domain);
            $exec_cmd .= $domain.' '. $server_list;
            sudoexec($exec_cmd, $exec_output, $exec_return);
@ -97,17 +97,17 @@ function web_add_cluster($form, $admin_mail) {

    if(!$form->getField('password_random')->getValue()) {
        $exec_cmd .= sprintf(' -p %s',
-                             $form->getField('password')->getValue());
+                             escapeshellarg($form->getField('password')->getValue()));
    }

    /* Ajout des options spécifiques à MySQL si nécessaire */
    if($form->getField('mysql_db')->getValue()) {
        $exec_cmd .= sprintf(' -m %s',
-                             $form->getField('mysql_dbname')->getValue());
+                             escapeshellarg($form->getField('mysql_dbname')->getValue()));

        if(!$form->getField('mysql_password_random')->getValue()) {
            $exec_cmd .= sprintf(' -P %s',
-                                $form->getField('mysql_password')->getValue());
+                                escapeshellarg($form->getField('mysql_password')->getValue()));
        }

        $account['bdd'] = $form->getField('mysql_dbname')->getValue();
@ -173,13 +173,13 @@ function web_add_cluster($form, $admin_mail) {
            break;
    }

-    $exec_cmd .= sprintf(' -l %s %s %s %s %s %s 2>&1', 
-        $admin_mail,
-        $form->getField('username')->getValue(), 
-        $form->getField('domain')->getValue(),
-        $master,
-        $slave,
-        ($realtime ? 'realtime': 'deferred'));
+    $exec_cmd .= sprintf(' -l %s %s %s %s %s %s 2>&1',
+        escapeshellarg($admin_mail),
+        escapeshellarg($form->getField('username')->getValue()),
+        escapeshellarg($form->getField('domain')->getValue()),
+        escapeshellarg($master),
+        escapeshellarg($slave),
+        escapeshellarg( ($realtime ? 'realtime': 'deferred')) );

    //if ($conf['bindadmin'])
    domain_add($form->getField('domain')->getValue(), gethostbyname($master), true, $form->getField('use_gmail_mxs')->getValue());
@ -189,7 +189,7 @@ function web_add_cluster($form, $admin_mail) {
    if ( $form->getField('domain_alias')->getValue() ) {
        $domain_alias = preg_split('/,/', $form->getField('domain_alias')->getValue());
        foreach ( $domain_alias as $alias ) {
-            $exec_cmd = 'web-add-cluster.sh add-alias '.$form->getField('username')->getValue().' ';
+            $exec_cmd = 'web-add-cluster.sh add-alias '.escapeshellarg($form->getField('username')->getValue()).' ';
            $alias = trim($alias);
            $exec_cmd .= $alias.' '.$master.' '.$slave;
            sudoexec($exec_cmd, $exec_output2, $exec_return2);