Commit 9a70fc25 authored by Leigh B. Stoller's avatar Leigh B. Stoller
Browse files

Add more sanity checking to arguments passed to shell command, since

this page is open to the world.
parent 6ee42b31
......@@ -26,6 +26,7 @@ if (!isset($nodeid) ||
strcmp($nodeid, "") == 0) {
SPITERROR(400, "You must provide a node ID.");
}
$nodeid = addslashes($nodeid);
if (!isset($file) ||
strcmp($file, "") == 0) {
SPITERROR(400, "You must provide an filename.");
......@@ -81,6 +82,12 @@ function SPEWCLEANUP()
ignore_user_abort(1);
register_shutdown_function("SPEWCLEANUP");
#
# MUST DO THIS!
#
$nodeid = escapeshellarg($nodeid);
$file = escapeshellarg($file);
#
# Run once with just the verify option to see if the file exists.
# Then do it for real, spitting out the data. Sure, the user could
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment