github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-14 18:49:21 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Revert "[SECURITY] Fix OS command injection."

Browse source
This commit is contained in:
Serghey Rodin 2015-12-11 21:14:49 +02:00
commit 39e9b6397b
115 changed files with 1980 additions and 1340 deletions
Download patch file Download diff file Expand all files Collapse all files

31
web/bulk/restore/index.php
View file

@ -9,11 +9,11 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check token
if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
header('location: /login/');
exit;
exit();
}
$action = $_POST['action'];
$backup = $_POST['backup'];
$backup = escapeshellarg($_POST['backup']);
$web = 'no';
$dns = 'no';
@ -22,22 +22,25 @@ $db = 'no';
$cron = 'no';
$udir = 'no';
if (!empty($_POST['web'])) $web = implode(',', $_POST['web']);
if (!empty($_POST['dns'])) $dns = implode(',', $_POST['dns']);
if (!empty($_POST['mail'])) $mail = implode(',', $_POST['mail']);
if (!empty($_POST['db'])) $db = implode(',', $_POST['db']);
if (!empty($_POST['web'])) $web = escapeshellarg(implode(",",$_POST['web']));
if (!empty($_POST['dns'])) $dns = escapeshellarg(implode(",",$_POST['dns']));
if (!empty($_POST['mail'])) $mail = escapeshellarg(implode(",",$_POST['mail']));
if (!empty($_POST['db'])) $db = escapeshellarg(implode(",",$_POST['db']));
if (!empty($_POST['cron'])) $cron = 'yes';
if (!empty($_POST['udir'])) $udir = implode(',', $_POST['udir']);
if (!empty($_POST['udir'])) $udir = escapeshellarg(implode(",",$_POST['udir']));
if ($action == 'restore') {
$return_var = v_exec('v-schedule-user-restore', [$user, $backup, $web, $dns, $mail, $db, $cron, $udir]);
switch ($return_var) {
case 0:
$_SESSION['error_msg'] = __('RESTORE_SCHEDULED');
break;
case 4:
exec (VESTA_CMD."v-schedule-user-restore ".$user." ".$backup." ".$web." ".$dns." ".$mail." ".$db." ".$cron." ".$udir, $output, $return_var);
if ($return_var == 0) {
$_SESSION['error_msg'] = __('RESTORE_SCHEDULED');
} else {
$_SESSION['error_msg'] = implode('<br>', $output);
if (empty($_SESSION['error_msg'])) {
$_SESSION['error_msg'] = __('Error: vesta did not return any output.');
}
if ($return_var == 4) {
$_SESSION['error_msg'] = __('RESTORE_EXISTS');
break;
}
}
}