Revert "[SECURITY] Fix OS command injection."

2025-08-14 10:37:39 -07:00 · 2015-12-11 21:14:49 +02:00 · 2015-12-11 21:14:49 +02:00 · 39e9b6397b
commit 39e9b6397b
parent 9620bfbf35
115 changed files with 1980 additions and 1340 deletions
--- a/web/delete/ip/index.php
+++ b/web/delete/ip/index.php
@ -8,19 +8,22 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 // Check token
 if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
    header('location: /login/');
-    exit;
+    exit();
 }

 if ($_SESSION['user'] == 'admin') {
    if (!empty($_GET['ip'])) {
-        $v_ip = $_GET['ip'];
-        v_exec('v-delete-sys-ip', [$v_ip]);
+        $v_ip = escapeshellarg($_GET['ip']);
+        exec (VESTA_CMD."v-delete-sys-ip ".$v_ip, $output, $return_var);
    }
+    check_return_code($return_var,$output);
+    unset($output);
+
 }

 $back = $_SESSION['back'];
 if (!empty($back)) {
-    header("Location: $back");
+    header("Location: ".$back);
    exit;
 }