From f2920c37e040fc7ed30270eb220b6bfa3d8002a4 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 18 Apr 2017 12:31:20 -0400 Subject: [PATCH] escapeshellarg adds quotes, which is bad. Use escapeshellcmd on the whole string instead. --- web/includes/functions.php | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/web/includes/functions.php b/web/includes/functions.php index 92dd41347..e32aa070e 100644 --- a/web/includes/functions.php +++ b/web/includes/functions.php @@ -832,12 +832,13 @@ function packageControl( $command ) { function daemonControl( $command, $daemon=false, $args=false ) { $string = ZM_PATH_BIN."/zmdc.pl $command"; if ( $daemon ) { - $string .= escapeshellarg(" $daemon"); + $string .= ' ' . $daemon; if ( $args ) { - $string .= escapeshellarg(" $args"); + $string .= ' ' . $args; } } - $string .= " 2>/dev/null >&- <&- >/dev/null"; + $string = escapeshellcmd( $string ); + $string .= ' 2>/dev/null >&- <&- >/dev/null'; exec( $string ); } @@ -944,10 +945,11 @@ function zmaStatus( $monitor ) { function daemonCheck( $daemon=false, $args=false ) { $string = ZM_PATH_BIN."/zmdc.pl check"; if ( $daemon ) { - $string .= escapeshellarg(" $daemon"); + $string .= ' ' . $daemon; if ( $args ) - $string .= escapeshellarg(" $args"); + $string .= ' '. $args; } + $string = escapeshellcmd( $string ); $result = exec( $string ); return( preg_match( '/running/', $result ) ); }