mirror/webgui
1
0
Fork 0
mirror of https://github.com/unraid/webgui.git synced 2026-01-06 01:29:54 -06:00
Code Issues Packages Projects Releases Wiki Activity

fix: web-components-extractor escape shell arguments in find command

Browse Source 
- Updated the find command in WebComponentsExtractor to use escapeshellarg for both base path and manifest name to prevent command injection vulnerabilities.
This commit is contained in:
Zack Spear
2025-03-27 15:17:41 -07:00
parent 14e0fed12a
commit 23861c1219
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
emhttp/plugins/dynamix.my.servers/include/web-components-extractor.php
View File

@@ -13,7 +13,9 @@ class WebComponentsExtractor
private function findManifestFiles(string $manifestName): array
{
$basePath = '/usr/local/emhttp' . self::PREFIXED_PATH;
$command = "find {$basePath} -name {$manifestName}";
$escapedBasePath = escapeshellarg($basePath);
$escapedManifestName = escapeshellarg($manifestName);
$command = "find {$escapedBasePath} -name {$escapedManifestName}";
exec($command, $files);
return $files;
}