Detaint mysql commands in update script

This commit is contained in:
Kevin Stolp 2020-06-01 22:54:29 -07:00
parent bd287d7c7c
commit 0e6ff1ad09
1 changed files with 2 additions and 0 deletions

View File

@ -399,6 +399,7 @@ if ( $version ) {
$command .= " --add-drop-table --databases ".$Config{ZM_DB_NAME}." > ".$backup;
print( "Creating backup to $backup. This may take several minutes.\n" );
print( "Executing '$command'\n" ) if ( logDebugging() );
($command) = $command =~ /(.*)/; # detaint
my $output = qx($command);
my $status = $? >> 8;
if ( $status || logDebugging() ) {
@ -993,6 +994,7 @@ sub patchDB {
$command .= '/zm_update-'.$version.'.sql';
print("Executing '$command'\n") if logDebugging();
($command) = $command =~ /(.*)/; # detaint
my $output = qx($command);
my $status = $? >> 8;
if ( $status || logDebugging() ) {