From 135a732397eeac95897a92ef82c41bfa16d2b179 Mon Sep 17 00:00:00 2001
From: Squidly271 <azawadzki@arrowgames.com>
Date: Wed, 14 Mar 2018 22:55:37 -0400
Subject: [PATCH] Plug Security Hole In Docker Template PostArgs

Hole allows arbitrary execution of bash commands on host
---
 plugins/dynamix.docker.manager/include/CreateDocker.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/plugins/dynamix.docker.manager/include/CreateDocker.php b/plugins/dynamix.docker.manager/include/CreateDocker.php
index 1ac35defa..a8ca9dfc6 100644
--- a/plugins/dynamix.docker.manager/include/CreateDocker.php
+++ b/plugins/dynamix.docker.manager/include/CreateDocker.php
@@ -441,7 +441,9 @@ function xmlToCommand($xml, $create_paths=false) {
 
 function execCommand($command) {
   // $command should have all its args already properly run through 'escapeshellarg'
-
+  $cmdTmp = explode(";",$command);
+  $command = $cmdTmp[0];
+  
   $descriptorspec = [
     0 => ["pipe", "r"],   // stdin is a pipe that the child will read from
     1 => ["pipe", "w"],   // stdout is a pipe that the child will write to