From ae0d70ccef8e1f543b1a170c4924eec6be5ef611 Mon Sep 17 00:00:00 2001
From: Squidly271 <unraidsquid@gmail.com>
Date: Tue, 23 Sep 2025 18:43:17 -0400
Subject: [PATCH] Fix: Disallow reading settings from share containing
 apostrophe

---
 emhttp/plugins/dynamix/SecurityNFS.page |  4 ++--
 emhttp/plugins/dynamix/SecuritySMB.page | 12 ++++++------
 emhttp/plugins/dynamix/ShareEdit.page   |  2 +-
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/emhttp/plugins/dynamix/SecurityNFS.page b/emhttp/plugins/dynamix/SecurityNFS.page
index e74674f2f..da4a9cf20 100755
--- a/emhttp/plugins/dynamix/SecurityNFS.page
+++ b/emhttp/plugins/dynamix/SecurityNFS.page
@@ -31,7 +31,7 @@ _(Read settings from)_ <i class="fa fa-arrow-left fa-fw"></i>
 		if (isset($disks[$name])) {
 		  foreach (array_filter($disks,'clone_list') as $list) if ($list['name']!=$name) echo mk_option("", $list['name'], _(my_disk($list['name']),3));
 		} else {
-		  foreach ($shares as $list) if ($list['name']!=$name) echo mk_option("", $list['name'], compress($list['name']));
+		  foreach ($shares as $list) if (strpos($list['name'],"'") === false && $list['name']!=$name) echo mk_option("", $list['name'], compress($list['name']));
 		}
 		?>
 	</select>
@@ -48,7 +48,7 @@ _(Write settings to)_ <i class="fa fa-arrow-right fa-fw"></i>
 		if (isset($disks[$name])) {
 		  foreach (array_filter($disks,'clone_list') as $list) if ($list['name']!=$name) $rows[] = mk_option("", $list['name'], _(my_disk($list['name']),3));
 		} else {
-		  foreach ($shares as $list) if ($list['name']!=$name) $rows[] = mk_option("", $list['name'], compress($list['name']));
+		  foreach ($shares as $list) if (strpos($list['name'],"'") === false && $list['name']!=$name) $rows[] = mk_option("", $list['name'], compress($list['name']));
 		}
 		if ($rows) echo "<option>("._('All').")</option>";
 		foreach ($rows as $row) echo $row;
diff --git a/emhttp/plugins/dynamix/SecuritySMB.page b/emhttp/plugins/dynamix/SecuritySMB.page
index 7991090dd..c3a7e679d 100755
--- a/emhttp/plugins/dynamix/SecuritySMB.page
+++ b/emhttp/plugins/dynamix/SecuritySMB.page
@@ -34,7 +34,7 @@ _(Read settings from)_ <i class="fa fa-arrow-left fa-fw"></i>
 		if (isset($disks[$name])) {
 		  foreach (array_filter($disks,'clone_list') as $list) if ($list['name']!=$name) echo mk_option("", $list['name'], _(my_disk($list['name']),3));
 		} else {
-		  foreach ($shares as $list) if ($list['name']!=$name) echo mk_option("", $list['name'], compress($list['name']));
+		  foreach ($shares as $list) if (strpos($list['name'],"'") === false && $list['name']!=$name) echo mk_option("", $list['name'], compress($list['name']));
 		}
 		?>
 	</select>
@@ -51,7 +51,7 @@ _(Write settings to)_ <i class="fa fa-arrow-right fa-fw"></i>
 		if (isset($disks[$name])) {
 		  foreach (array_filter($disks,'clone_list') as $list) if ($list['name']!=$name) $rows[] = mk_option("", $list['name'], _(my_disk($list['name']),3));
 		} else {
-		  foreach ($shares as $list) if ($list['name']!=$name) $rows[] = mk_option("", $list['name'], compress($list['name']));
+		  foreach ($shares as $list) if (strpos($list['name'],"'") === false && $list['name']!=$name) $rows[] = mk_option("", $list['name'], compress($list['name']));
 		}
 		if ($rows) echo "<option>("._('All').")</option>";
 		foreach ($rows as $row) echo $row;
@@ -154,7 +154,7 @@ _(Read settings from)_ <i class="fa fa-arrow-left fa-fw"></i>
 		if (isset($disks[$name])) {
 		  foreach (array_filter($disks,'clone_list') as $list) if ($list['name']!=$name && $sec[$list['name']]['security']=='secure') echo mk_option("", $list['name'], _(my_disk($list['name']),3));
 		} else {
-		  foreach ($shares as $list) if ($list['name']!=$name && $sec[$list['name']]['security']=='secure') echo mk_option("", $list['name'], compress($list['name']));
+		  foreach ($shares as $list) if (strpos($list['name'],"'") === false && $list['name']!=$name && $sec[$list['name']]['security']=='secure') echo mk_option("", $list['name'], compress($list['name']));
 		}
 		?>
 	</select>
@@ -171,7 +171,7 @@ _(Write settings to)_ <i class="fa fa-arrow-right fa-fw"></i>
 		if (isset($disks[$name])) {
 		  foreach (array_filter($disks,'clone_list') as $list) if ($list['name']!=$name && $sec[$list['name']]['security']=='secure') $rows[] = mk_option("", $list['name'], _(my_disk($list['name']),3));
 		} else {
-		  foreach ($shares as $list) if ($list['name']!=$name && $sec[$list['name']]['security']=='secure') $rows[] = mk_option("", $list['name'], compress($list['name']));
+		  foreach ($shares as $list) if (strpos($list['name'],"'") === false && $list['name']!=$name && $sec[$list['name']]['security']=='secure') $rows[] = mk_option("", $list['name'], compress($list['name']));
 		}
 		if ($rows) echo "<option>("._('All').")</option>";
 		foreach ($rows as $row) echo $row;
@@ -217,7 +217,7 @@ _(Read settings from)_ <i class="fa fa-arrow-left fa-fw"></i>
 		if (isset($disks[$name])) {
 		  foreach (array_filter($disks,'clone_list') as $list) if ($list['name']!=$name && $sec[$list['name']]['security']=='private') echo mk_option("", $list['name'], _(my_disk($list['name']),3));
 		} else {
-		  foreach ($shares as $list) if ($list['name']!=$name && $sec[$list['name']]['security']=='private') echo mk_option("", $list['name'], compress($list['name']));
+		  foreach ($shares as $list) if (strpos($list['name'],"'") === false && $list['name']!=$name && $sec[$list['name']]['security']=='private') echo mk_option("", $list['name'], compress($list['name']));
 		}
 		?>
 	</select>
@@ -234,7 +234,7 @@ _(Write settings to)_ <i class="fa fa-arrow-right fa-fw"></i>
 		if (isset($disks[$name])) {
 		  foreach (array_filter($disks,'clone_list') as $list) if ($list['name']!=$name && $sec[$list['name']]['security']=='private') $rows[] = mk_option("", $list['name'], _(my_disk($list['name']),3));
 		} else {
-		  foreach ($shares as $list) if ($list['name']!=$name && $sec[$list['name']]['security']=='private') $rows[] = mk_option("", $list['name'], compress($list['name']));
+		  foreach ($shares as $list) if (strpos($list['name'],"'") === false && $list['name']!=$name && $sec[$list['name']]['security']=='private') $rows[] = mk_option("", $list['name'], compress($list['name']));
 		}
 		if ($rows) echo "<option>("._('All').")</option>";
 		foreach ($rows as $row) echo $row;
diff --git a/emhttp/plugins/dynamix/ShareEdit.page b/emhttp/plugins/dynamix/ShareEdit.page
index 73f9ec998..53cc9cde0 100755
--- a/emhttp/plugins/dynamix/ShareEdit.page
+++ b/emhttp/plugins/dynamix/ShareEdit.page
@@ -327,7 +327,7 @@ function direction() {
 $myDisks = array_filter(array_diff(array_keys(array_filter($disks,'my_disks')), explode(',',$var['shareUserExclude'])), 'globalInclude');
 
 $filteredShares = array_filter($shares, function($list) use ($name) {
-	return $list['name'] != $name || !$name;
+	return (strpos($list['name'],"'") === false) && ($list['name'] != $name || !$name) ;
 });
 ?>
 :share_edit_global1_help: