Flatta's security fixes from PullRequest #516

2025-08-14 10:37:42 -07:00 · 2015-12-11 21:32:07 +02:00 · 2015-12-11 21:32:07 +02:00 · 95850df8d1
commit 95850df8d1
parent f8b39ecae7
6 changed files with 9 additions and 8 deletions
--- a/web/edit/mail/index.php
+++ b/web/edit/mail/index.php
@ -233,7 +233,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
        $result = array_diff($aliases, $valiases);
        foreach ($result as $alias) {
            if ((empty($_SESSION['error_msg'])) && (!empty($alias))) {
-                exec (VESTA_CMD."v-add-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".$alias."'", $output, $return_var);
+                exec (VESTA_CMD."v-add-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." ".escapeshellarg($alias), $output, $return_var);
                check_return_code($return_var,$output);
                unset($output);
            }
@ -259,7 +259,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
        $result = array_diff($fwd, $vfwd);
        foreach ($result as $forward) {
            if ((empty($_SESSION['error_msg'])) && (!empty($forward))) {
-                exec (VESTA_CMD."v-add-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".$forward."'", $output, $return_var);
+                exec (VESTA_CMD."v-add-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." ".escapeshellarg($forward), $output, $return_var);
                check_return_code($return_var,$output);
                unset($output);
            }