Revert "[SECURITY] Fix OS command injection."

2025-08-14 10:37:39 -07:00 · 2015-12-11 21:14:49 +02:00 · 2015-12-11 21:14:49 +02:00 · 39e9b6397b
commit 39e9b6397b
parent 9620bfbf35
115 changed files with 1980 additions and 1340 deletions
--- a/web/delete/package/index.php
+++ b/web/delete/package/index.php
@ -8,19 +8,21 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 // Check token
 if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
    header('location: /login/');
-    exit;
+    exit();
 }

 if ($_SESSION['user'] == 'admin') {
    if (!empty($_GET['package'])) {
-        $v_package = $_GET['package'];
-        v_exec('v-delete-user-package', [$v_package]);
+        $v_package = escapeshellarg($_GET['package']);
+        exec (VESTA_CMD."v-delete-user-package ".$v_package, $output, $return_var);
    }
+    check_return_code($return_var,$output);
+    unset($output);
 }

 $back = $_SESSION['back'];
 if (!empty($back)) {
-    header("Location: $back");
+    header("Location: ".$back);
    exit;
 }