From 1f9365ae97b9f28a3cdc38c6f556268e3b7acad8 Mon Sep 17 00:00:00 2001 From: Lars Jung Date: Sat, 24 Aug 2013 23:22:34 +0200 Subject: [PATCH] Escapes shell arguments. See issue #197. --- src/_h5ai/server/php/inc/Archive.php | 6 +++--- src/_h5ai/server/php/inc/Item.php | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/_h5ai/server/php/inc/Archive.php b/src/_h5ai/server/php/inc/Archive.php index 16829753..d441884b 100644 --- a/src/_h5ai/server/php/inc/Archive.php +++ b/src/_h5ai/server/php/inc/Archive.php @@ -44,9 +44,9 @@ class Archive { private function shell_cmd($cmd) { - $cmd = str_replace("[ROOTDIR]", "\"" . $this->app->get_abs_path() . "\"", $cmd); - $cmd = str_replace("[DIRS]", count($this->dirs) ? "\"" . implode("\" \"", array_values($this->dirs)) . "\"" : "", $cmd); - $cmd = str_replace("[FILES]", count($this->files) ? "\"" . implode("\" \"", array_values($this->files)) . "\"" : "", $cmd); + $cmd = str_replace("[ROOTDIR]", escapeshellarg($this->app->get_abs_path()), $cmd); + $cmd = str_replace("[DIRS]", count($this->dirs) ? implode(" ", array_map("escapeshellarg", $this->dirs)) : "", $cmd); + $cmd = str_replace("[FILES]", count($this->files) ? implode(" ", array_map("escapeshellarg", $this->files)) : "", $cmd); try { passthru($cmd); } catch (Exeption $err) { diff --git a/src/_h5ai/server/php/inc/Item.php b/src/_h5ai/server/php/inc/Item.php index 1a5c6135..2da5bffa 100644 --- a/src/_h5ai/server/php/inc/Item.php +++ b/src/_h5ai/server/php/inc/Item.php @@ -2,7 +2,7 @@ class Item { - private static $FOLDER_SIZE_CMD = "du -sk \"[DIR]\""; + private static $FOLDER_SIZE_CMD = "du -sk [DIR]"; public static function cmp($item1, $item2) { @@ -57,7 +57,7 @@ class Item { $this->size = null; $options = $app->get_options(); if ($options["foldersize"]["enabled"]) { - $cmd = str_replace("[DIR]", $this->abs_path, Item::$FOLDER_SIZE_CMD); + $cmd = str_replace("[DIR]", escapeshellarg($this->abs_path), Item::$FOLDER_SIZE_CMD); $this->size = intval(preg_replace("/\s.*$/", "", `$cmd`), 10) * 1024; } } else {