From 512283e52800f2e276a022662605de9642d165f3 Mon Sep 17 00:00:00 2001
From: INVENT <invent@0x0a.net>
Date: Mon, 19 Jan 2015 15:51:46 +0300
Subject: [PATCH] Potential remote code execution vulnerability fix. Can be
 exploitable, when we have X-Forwarded-For->X-Real-IP transformation.

---
 web/api/index.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/web/api/index.php b/web/api/index.php
index 078ef1bd6..c938512a5 100644
--- a/web/api/index.php
+++ b/web/api/index.php
@@ -14,7 +14,8 @@ if (isset($_POST['user']) || isset($_POST['hash'])) {
         
         $v_user = escapeshellarg($_POST['user']);
         $v_password = escapeshellarg($_POST['password']);
-        exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'",  $output, $auth_code);
+        $v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
+        exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'",  $output, $auth_code);
     } else {
         $key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']);
         if (file_exists($key) && is_file($key)) {