From 0e6ff1ad09abd9f4ffd0472880f8063de5ee882c Mon Sep 17 00:00:00 2001 From: Kevin Stolp Date: Mon, 1 Jun 2020 22:54:29 -0700 Subject: [PATCH] Detaint mysql commands in update script --- scripts/zmupdate.pl.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/zmupdate.pl.in b/scripts/zmupdate.pl.in index 3662b6655..adbfde8a3 100644 --- a/scripts/zmupdate.pl.in +++ b/scripts/zmupdate.pl.in @@ -399,6 +399,7 @@ if ( $version ) { $command .= " --add-drop-table --databases ".$Config{ZM_DB_NAME}." > ".$backup; print( "Creating backup to $backup. This may take several minutes.\n" ); print( "Executing '$command'\n" ) if ( logDebugging() ); + ($command) = $command =~ /(.*)/; # detaint my $output = qx($command); my $status = $? >> 8; if ( $status || logDebugging() ) { @@ -993,6 +994,7 @@ sub patchDB { $command .= '/zm_update-'.$version.'.sql'; print("Executing '$command'\n") if logDebugging(); + ($command) = $command =~ /(.*)/; # detaint my $output = qx($command); my $status = $? >> 8; if ( $status || logDebugging() ) {