Fixes: bug 13886 - calamaris.dat Multiple Parameters Command Injection
Signed-off-by: Adolf Belka <[email protected]>
---
html/cgi-bin/logs.cgi/calamaris.dat | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/html/cgi-bin/logs.cgi/calamaris.dat
b/html/cgi-bin/logs.cgi/calamaris.dat
index dcc812e47..1c8e4b68e 100644
--- a/html/cgi-bin/logs.cgi/calamaris.dat
+++ b/html/cgi-bin/logs.cgi/calamaris.dat
@@ -170,6 +170,10 @@ if ($reportsettings{'ACTION'} eq $Lang::tr{'calamaris
create report'})
if ($reportsettings{'RUN_BACKGROUND'} eq 'on') { $commandline.=" &"; }
+ if (!($commandline =~ /^[a-zA-Z0-9-\s]+$/))
+ {
+ die "Invalid input in\"$commandline\"";
+ }
system("${General::swroot}/proxy/calamaris/bin/mkreport $commandline")
}
--
2.51.0
