From c377e19df851aec6758a072f3f2f31d48b18d059 Mon Sep 17 00:00:00 2001
From: dpeca <peca@mycity.rs>
Date: Tue, 23 Jun 2020 19:06:25 +0200
Subject: [PATCH] Adding escapeshellarg on few more places in php code

---
 web/edit/server/index.php    | 2 +-
 web/list/directory/index.php | 2 +-
 web/list/dns/index.php       | 4 ++--
 web/list/mail/index.php      | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/web/edit/server/index.php b/web/edit/server/index.php
index 0743ab17..49c577d8 100644
--- a/web/edit/server/index.php
+++ b/web/edit/server/index.php
@@ -356,7 +356,7 @@ if (!empty($_POST['save'])) {
     // Change remote backup host type
     if (empty($_SESSION['error_msg'])) {
         if ((!empty($_POST['v_backup_host'])) && ($_POST['v_backup_type'] != $v_backup_type)) {
-            exec (VESTA_CMD."v-delete-backup-host ". $v_backup_type, $output, $return_var);
+            exec (VESTA_CMD."v-delete-backup-host " . escapeshellarg($v_backup_type), $output, $return_var);
             unset($output);
 
             $v_backup_host = escapeshellarg($_POST['v_backup_host']);
diff --git a/web/list/directory/index.php b/web/list/directory/index.php
index 12919b14..7a57566c 100644
--- a/web/list/directory/index.php
+++ b/web/list/directory/index.php
@@ -15,7 +15,7 @@ if (($_SESSION['user'] == 'admin') && (!empty($_SESSION['look']))) {
 }
 
 if (empty($panel)) {
-    $command = VESTA_CMD."v-list-user '".$user."' 'json'";
+    $command = VESTA_CMD."v-list-user ".escapeshellarg($user)." 'json'";
     exec ($command, $output, $return_var);
     if ( $return_var > 0 ) {
         header("Location: /error/");
diff --git a/web/list/dns/index.php b/web/list/dns/index.php
index c98b8e47..53d5980c 100644
--- a/web/list/dns/index.php
+++ b/web/list/dns/index.php
@@ -7,14 +7,14 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 // Data & Render page
 if (empty($_GET['domain'])){
-    exec (VESTA_CMD."v-list-dns-domains $user json", $output, $return_var);
+    exec (VESTA_CMD."v-list-dns-domains ".escapeshellarg($user)." json", $output, $return_var);
     $data = json_decode(implode('', $output), true);
     $data = array_reverse($data, true);
     unset($output);
 
     render_page($user, $TAB, 'list_dns');
 } else {
-    exec (VESTA_CMD."v-list-dns-records ".$user." ".escapeshellarg($_GET['domain'])." json", $output, $return_var);
+    exec (VESTA_CMD."v-list-dns-records ".escapeshellarg($user)." ".escapeshellarg($_GET['domain'])." json", $output, $return_var);
     $data = json_decode(implode('', $output), true);
     $data = array_reverse($data, true);
     unset($output);
diff --git a/web/list/mail/index.php b/web/list/mail/index.php
index 56c42a73..e389b3b1 100644
--- a/web/list/mail/index.php
+++ b/web/list/mail/index.php
@@ -7,14 +7,14 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 // Data & Render page
 if (empty($_GET['domain'])){
-    exec (VESTA_CMD."v-list-mail-domains $user json", $output, $return_var);
+    exec (VESTA_CMD."v-list-mail-domains ".escapeshellarg($user)." json", $output, $return_var);
     $data = json_decode(implode('', $output), true);
     $data = array_reverse($data, true);
     unset($output);
 
     render_page($user, $TAB, 'list_mail');
 } else {
-    exec (VESTA_CMD."v-list-mail-accounts ".$user." ".escapeshellarg($_GET['domain'])." json", $output, $return_var);
+    exec (VESTA_CMD."v-list-mail-accounts ".escapeshellarg($user)." ".escapeshellarg($_GET['domain'])." json", $output, $return_var);
     $data = json_decode(implode('', $output), true);
     $data = array_reverse($data, true);
     unset($output);