Sanitize post data w/ escapeshellcmd()

RaspAP · Feb 17, 2023 · 1fabc48 · 1fabc48 · ismael0x00 · Jul 31, 2023
1 parent d192497
commit 1fabc48
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/ajax/logging/clearlog.php b/ajax/logging/clearlog.php
@@ -5,7 +5,7 @@
 require_once '../../includes/functions.php';
 
 if (isset($_POST['logfile'])) {
-    $logfile = $_POST['logfile'];
+    $logfile = escapeshellcmd($_POST['logfile']);
 
     // truncate requested log file
     exec("sudo truncate -s 0 $logfile", $return);

diff --git a/ajax/openvpn/activate_ovpncfg.php b/ajax/openvpn/activate_ovpncfg.php
@@ -5,7 +5,7 @@
 require_once '../../includes/functions.php';
 
 if (isset($_POST['cfg_id'])) {
-    $ovpncfg_id = $_POST['cfg_id'];
+    $ovpncfg_id = escapeshellcmd($_POST['cfg_id']);
     $ovpncfg_client = RASPI_OPENVPN_CLIENT_PATH.$ovpncfg_id.'_client.conf';
     $ovpncfg_login = RASPI_OPENVPN_CLIENT_PATH.$ovpncfg_id.'_login.conf';
 

diff --git a/ajax/openvpn/del_ovpncfg.php b/ajax/openvpn/del_ovpncfg.php
@@ -5,7 +5,7 @@
 require_once '../../includes/functions.php';
 
 if (isset($_POST['cfg_id'])) {
-    $ovpncfg_id = $_POST['cfg_id'];
+    $ovpncfg_id = escapeshellcmd($_POST['cfg_id']);
     $ovpncfg_files = pathinfo(RASPI_OPENVPN_CLIENT_LOGIN, PATHINFO_DIRNAME).'/'.$ovpncfg_id.'_*.conf';
     exec("sudo rm $ovpncfg_files", $return);
     $jsonData = ['return'=>$return];