detaint command before performing backup. Fixes #2945

This commit is contained in:
Isaac Connor 2020-05-29 14:53:42 -04:00
parent 20870e22fa
commit a7ef8e3dc8
1 changed files with 8 additions and 7 deletions

View File

@ -384,21 +384,22 @@ if ( $version ) {
my $command = 'mysqldump';
if ( defined($portOrSocket) ) {
if ( $portOrSocket =~ /^\// ) {
$command .= " -S".$portOrSocket;
$command .= ' -S'.$portOrSocket;
} else {
$command .= " -h".$host." -P".$portOrSocket;
$command .= ' -h'.$host.' -P'.$portOrSocket;
}
} else {
$command .= " -h".$host;
$command .= ' -h'.$host;
}
if ( $dbUser ) {
$command .= ' -u'.$dbUser;
$command .= ' -p"'.$dbPass.'"' if $dbPass;
}
my $backup = "@ZM_TMPDIR@/".$Config{ZM_DB_NAME}."-".$version.".dump";
$command .= " --add-drop-table --databases ".$Config{ZM_DB_NAME}." > ".$backup;
print( "Creating backup to $backup. This may take several minutes.\n" );
print( "Executing '$command'\n" ) if ( logDebugging() );
my $backup = '@ZM_TMPDIR@/'.$Config{ZM_DB_NAME}.'-'.$version.'.dump';
$command .= ' --add-drop-table --databases '.$Config{ZM_DB_NAME}.' > '.$backup;
print("Creating backup to $backup. This may take several minutes.\n");
($command) = $command =~ /(.*)/; # detaint
print("Executing '$command'\n") if logDebugging();
my $output = qx($command);
my $status = $? >> 8;
if ( $status || logDebugging() ) {