evolix/evoadmin-web
22
0
Fork 1
Code Issues 31 Pull requests 4 Releases 1 Wiki Activity

Add missing escapeshellarg() in account creation

Browse source
This commit is contained in:
Ludovic Poujol 2019-04-23 18:16:07 +02:00
parent 7b5868db38
commit d63150c4ce
1 changed files with 18 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
inc/accounts.php
View file

@ -39,17 +39,17 @@ function web_add($form, $admin_mail) {
if(!$form->getField('password_random')->getValue()) { if(!$form->getField('password_random')->getValue()) {
$exec_cmd .= sprintf(' -p %s', $exec_cmd .= sprintf(' -p %s',
$form->getField('password')->getValue()); escapeshellarg($form->getField('password')->getValue()));
} }
/* Ajout des options spécifiques à MySQL si nécessaire */ /* Ajout des options spécifiques à MySQL si nécessaire */
if($form->getField('mysql_db')->getValue()) { if($form->getField('mysql_db')->getValue()) {
$exec_cmd .= sprintf(' -m %s', $exec_cmd .= sprintf(' -m %s',
$form->getField('mysql_dbname')->getValue()); escapeshellarg($form->getField('mysql_dbname')->getValue()));
if(!$form->getField('mysql_password_random')->getValue()) { if(!$form->getField('mysql_password_random')->getValue()) {
$exec_cmd .= sprintf(' -P %s', $exec_cmd .= sprintf(' -P %s',
$form->getField('mysql_password')->getValue()); escapeshellarg($form->getField('mysql_password')->getValue()));
} }
} }
@ -58,12 +58,12 @@ function web_add($form, $admin_mail) {
} }
if ($conf['quota']) { if ($conf['quota']) {
$exec_cmd .= sprintf(' -q %s:%s', $form->getField('quota_soft')->getValue(), $form->getField('quota_hard')->getValue()); $exec_cmd .= sprintf(' -q %s:%s', escapeshellarg($form->getField('quota_soft')->getValue()), escapeshellarg($form->getField('quota_hard')->getValue()));
} }
$exec_cmd .= sprintf(' -l %s %s %s 2>&1', $admin_mail, $exec_cmd .= sprintf(' -l %s %s %s 2>&1', $admin_mail,
$form->getField('username')->getValue(), escapeshellarg($form->getField('username')->getValue()),
$form->getField('domain')->getValue()); escapeshellarg($form->getField('domain')->getValue()));
//domain_add($form, $_SERVER['SERVER_ADDR'], true); //domain_add($form, $_SERVER['SERVER_ADDR'], true);
sudoexec($exec_cmd, $exec_output, $exec_return); sudoexec($exec_cmd, $exec_output, $exec_return);
@ -72,7 +72,7 @@ function web_add($form, $admin_mail) {
if ( $form->getField('domain_alias')->getValue() ) { if ( $form->getField('domain_alias')->getValue() ) {
$domain_alias = preg_split('/,/', $form->getField('domain_alias')->getValue()); $domain_alias = preg_split('/,/', $form->getField('domain_alias')->getValue());
foreach ( $domain_alias as $domain ) { foreach ( $domain_alias as $domain ) {
$exec_cmd = 'web-add.sh add-alias '.$form->getField('username')->getValue().' '; $exec_cmd = 'web-add.sh add-alias '.escapeshellarg($form->getField('username')->getValue()).' ';
$domain = trim($domain); $domain = trim($domain);
$exec_cmd .= $domain.' '. $server_list; $exec_cmd .= $domain.' '. $server_list;
sudoexec($exec_cmd, $exec_output, $exec_return); sudoexec($exec_cmd, $exec_output, $exec_return);
@ -97,17 +97,17 @@ function web_add_cluster($form, $admin_mail) {
if(!$form->getField('password_random')->getValue()) { if(!$form->getField('password_random')->getValue()) {
$exec_cmd .= sprintf(' -p %s', $exec_cmd .= sprintf(' -p %s',
$form->getField('password')->getValue()); escapeshellarg($form->getField('password')->getValue()));
} }
/* Ajout des options spécifiques à MySQL si nécessaire */ /* Ajout des options spécifiques à MySQL si nécessaire */
if($form->getField('mysql_db')->getValue()) { if($form->getField('mysql_db')->getValue()) {
$exec_cmd .= sprintf(' -m %s', $exec_cmd .= sprintf(' -m %s',
$form->getField('mysql_dbname')->getValue()); escapeshellarg($form->getField('mysql_dbname')->getValue()));
if(!$form->getField('mysql_password_random')->getValue()) { if(!$form->getField('mysql_password_random')->getValue()) {
$exec_cmd .= sprintf(' -P %s', $exec_cmd .= sprintf(' -P %s',
$form->getField('mysql_password')->getValue()); escapeshellarg($form->getField('mysql_password')->getValue()));
} }
$account['bdd'] = $form->getField('mysql_dbname')->getValue(); $account['bdd'] = $form->getField('mysql_dbname')->getValue();
@ -173,13 +173,13 @@ function web_add_cluster($form, $admin_mail) {
break; break;
} }
$exec_cmd .= sprintf(' -l %s %s %s %s %s %s 2>&1', $exec_cmd .= sprintf(' -l %s %s %s %s %s %s 2>&1',
$admin_mail, escapeshellarg($admin_mail),
$form->getField('username')->getValue(), escapeshellarg($form->getField('username')->getValue()),
$form->getField('domain')->getValue(), escapeshellarg($form->getField('domain')->getValue()),
$master, escapeshellarg($master),
$slave, escapeshellarg($slave),
($realtime ? 'realtime': 'deferred')); escapeshellarg( ($realtime ? 'realtime': 'deferred')) );
//if ($conf['bindadmin']) //if ($conf['bindadmin'])
domain_add($form->getField('domain')->getValue(), gethostbyname($master), true, $form->getField('use_gmail_mxs')->getValue()); domain_add($form->getField('domain')->getValue(), gethostbyname($master), true, $form->getField('use_gmail_mxs')->getValue());
@ -189,7 +189,7 @@ function web_add_cluster($form, $admin_mail) {
if ( $form->getField('domain_alias')->getValue() ) { if ( $form->getField('domain_alias')->getValue() ) {
$domain_alias = preg_split('/,/', $form->getField('domain_alias')->getValue()); $domain_alias = preg_split('/,/', $form->getField('domain_alias')->getValue());
foreach ( $domain_alias as $alias ) { foreach ( $domain_alias as $alias ) {
$exec_cmd = 'web-add-cluster.sh add-alias '.$form->getField('username')->getValue().' '; $exec_cmd = 'web-add-cluster.sh add-alias '.escapeshellarg($form->getField('username')->getValue()).' ';
$alias = trim($alias); $alias = trim($alias);
$exec_cmd .= $alias.' '.$master.' '.$slave; $exec_cmd .= $alias.' '.$master.' '.$slave;
sudoexec($exec_cmd, $exec_output2, $exec_return2); sudoexec($exec_cmd, $exec_output2, $exec_return2);