From 135a732397eeac95897a92ef82c41bfa16d2b179 Mon Sep 17 00:00:00 2001
From: Squidly271 <azawadzki@arrowgames.com>
Date: Wed, 14 Mar 2018 22:55:37 -0400
Subject: [PATCH 1/3] Plug Security Hole In Docker Template PostArgs

Hole allows arbitrary execution of bash commands on host
---
 plugins/dynamix.docker.manager/include/CreateDocker.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/plugins/dynamix.docker.manager/include/CreateDocker.php b/plugins/dynamix.docker.manager/include/CreateDocker.php
index 1ac35defa..a8ca9dfc6 100644
--- a/plugins/dynamix.docker.manager/include/CreateDocker.php
+++ b/plugins/dynamix.docker.manager/include/CreateDocker.php
@@ -441,7 +441,9 @@ function xmlToCommand($xml, $create_paths=false) {
 
 function execCommand($command) {
   // $command should have all its args already properly run through 'escapeshellarg'
-
+  $cmdTmp = explode(";",$command);
+  $command = $cmdTmp[0];
+  
   $descriptorspec = [
     0 => ["pipe", "r"],   // stdin is a pipe that the child will read from
     1 => ["pipe", "w"],   // stdout is a pipe that the child will write to

From 52255fa5bc3247ccf72eda4333e86ac4961162e0 Mon Sep 17 00:00:00 2001
From: Squidly271 <azawadzki@arrowgames.com>
Date: Fri, 16 Mar 2018 21:05:47 -0400
Subject: [PATCH 2/3] Switch split from command execution to post args only

---
 plugins/dynamix.docker.manager/include/CreateDocker.php | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/plugins/dynamix.docker.manager/include/CreateDocker.php b/plugins/dynamix.docker.manager/include/CreateDocker.php
index a8ca9dfc6..29be47bd2 100644
--- a/plugins/dynamix.docker.manager/include/CreateDocker.php
+++ b/plugins/dynamix.docker.manager/include/CreateDocker.php
@@ -422,6 +422,7 @@ function xmlToCommand($xml, $create_paths=false) {
       $Devices[] = escapeshellarg($hostConfig);
     }
   }
+  $postArgs = explode(";",$xml['PostArgs']);
   $cmd = sprintf($docroot.'/plugins/dynamix.docker.manager/scripts/docker create %s %s %s %s %s %s %s %s %s %s %s',
                  $cmdName,
                  $cmdNetwork,
@@ -433,7 +434,7 @@ function xmlToCommand($xml, $create_paths=false) {
                  implode(' --device=', $Devices),
                  $xml['ExtraParams'],
                  escapeshellarg($xml['Repository']),
-                 $xml['PostArgs']);
+                 $postArgs[0]);
 
   $cmd = trim(preg_replace('/\s+/', ' ', $cmd));
   return [$cmd, $xml['Name'], $xml['Repository']];
@@ -441,9 +442,7 @@ function xmlToCommand($xml, $create_paths=false) {
 
 function execCommand($command) {
   // $command should have all its args already properly run through 'escapeshellarg'
-  $cmdTmp = explode(";",$command);
-  $command = $cmdTmp[0];
-  
+ 
   $descriptorspec = [
     0 => ["pipe", "r"],   // stdin is a pipe that the child will read from
     1 => ["pipe", "w"],   // stdout is a pipe that the child will write to

From 85d21a386a89c48cfc88e3ed6bb19cee88fa41c3 Mon Sep 17 00:00:00 2001
From: Squidly271 <azawadzki@arrowgames.com>
Date: Fri, 16 Mar 2018 21:07:45 -0400
Subject: [PATCH 3/3] Switch split from command execution to post args only