github/vesta
1
0
Fork 0
mirror of https://github.com/serghey-rodin/vesta.git synced 2025-08-14 10:37:39 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

.escapeshellarg protection

Browse source
This commit is contained in:
Serghey Rodin 2015-10-21 19:16:42 +03:00
commit ddf1d55294
1 changed files with 8 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

16
web/edit/user/index.php
View file

@ -24,7 +24,7 @@ if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) {
}
// List user
exec (VESTA_CMD."v-list-user ".$v_username." json", $output, $return_var);
exec (VESTA_CMD."v-list-user ".escapeshellarg($v_username)." json", $output, $return_var);
check_return_code($return_var,$output);
$data = json_decode(implode('', $output), true);
unset($output);
@ -89,7 +89,7 @@ if (!empty($_POST['save'])) {
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['v_password']."\n");
fclose($fp);
exec (VESTA_CMD."v-change-user-password ".$v_username." ".$v_password, $output, $return_var);
exec (VESTA_CMD."v-change-user-password ".escapeshellarg($v_username)." ".$v_password, $output, $return_var);
check_return_code($return_var,$output);
unset($output);
unlink($v_password);
@ -99,7 +99,7 @@ if (!empty($_POST['save'])) {
// Change package (admin only)
if (($v_package != $_POST['v_package']) && ($_SESSION['user'] == 'admin') && (empty($_SESSION['error_msg']))) {
$v_package = escapeshellarg($_POST['v_package']);
exec (VESTA_CMD."v-change-user-package ".$v_username." ".$v_package, $output, $return_var);
exec (VESTA_CMD."v-change-user-package ".escapeshellarg($v_username)." ".$v_package, $output, $return_var);
check_return_code($return_var,$output);
unset($output);
}
@ -107,7 +107,7 @@ if (!empty($_POST['save'])) {
// Change language
if (($v_language != $_POST['v_language']) && (empty($_SESSION['error_msg']))) {
$v_language = escapeshellarg($_POST['v_language']);
exec (VESTA_CMD."v-change-user-language ".$v_username." ".$v_language, $output, $return_var);
exec (VESTA_CMD."v-change-user-language ".escapeshellarg($v_username)." ".$v_language, $output, $return_var);
check_return_code($return_var,$output);
if (empty($_SESSION['error_msg'])) {
if ((empty($_GET['user'])) || ($_GET['user'] == $_SESSION['user'])) $_SESSION['language'] = $_POST['v_language'];
@ -118,7 +118,7 @@ if (!empty($_POST['save'])) {
// Change shell (admin only)
if (($v_shell != $_POST['v_shell']) && ($_SESSION['user'] == 'admin') && (empty($_SESSION['error_msg']))) {
$v_shell = escapeshellarg($_POST['v_shell']);
exec (VESTA_CMD."v-change-user-shell ".$v_username." ".$v_shell, $output, $return_var);
exec (VESTA_CMD."v-change-user-shell ".escapeshellarg($v_username)." ".$v_shell, $output, $return_var);
check_return_code($return_var,$output);
unset($output);
}
@ -129,7 +129,7 @@ if (!empty($_POST['save'])) {
$_SESSION['error_msg'] = __('Please enter valid email address.');
} else {
$v_email = escapeshellarg($_POST['v_email']);
exec (VESTA_CMD."v-change-user-contact ".$v_username." ".$v_email, $output, $return_var);
exec (VESTA_CMD."v-change-user-contact ".escapeshellarg($v_username)." ".$v_email, $output, $return_var);
check_return_code($return_var,$output);
unset($output);
}
@ -139,7 +139,7 @@ if (!empty($_POST['save'])) {
if (($v_fname != $_POST['v_fname']) || ($v_lname != $_POST['v_lname']) && (empty($_SESSION['error_msg']))) {
$v_fname = escapeshellarg($_POST['v_fname']);
$v_lname = escapeshellarg($_POST['v_lname']);
exec (VESTA_CMD."v-change-user-name ".$v_username." ".$v_fname." ".$v_lname, $output, $return_var);
exec (VESTA_CMD."v-change-user-name ".escapeshellarg($v_username)." ".$v_fname." ".$v_lname, $output, $return_var);
check_return_code($return_var,$output);
unset($output);
$v_fname = $_POST['v_fname'];
@ -157,7 +157,7 @@ if (!empty($_POST['save'])) {
$v_ns6 = escapeshellarg($_POST['v_ns6']);
$v_ns7 = escapeshellarg($_POST['v_ns7']);
$v_ns8 = escapeshellarg($_POST['v_ns8']);
$ns_cmd = VESTA_CMD."v-change-user-ns ".$v_username." ".$v_ns1." ".$v_ns2;
$ns_cmd = VESTA_CMD."v-change-user-ns ".escapeshellarg($v_username)." ".$v_ns1." ".$v_ns2;
if (!empty($_POST['v_ns3'])) $ns_cmd = $ns_cmd." ".$v_ns3;
if (!empty($_POST['v_ns4'])) $ns_cmd = $ns_cmd." ".$v_ns4;
if (!empty($_POST['v_ns5'])) $ns_cmd = $ns_cmd." ".$v_ns5;