Merge pull request #2111 from nextcloud/fix/ncp-web/unescaped-bash-args

theCalcaholic · web-flow · commit 87465f79622e · 2026-04-14T13:47:36.000+02:00
ncp-launcher.php: Escape all bash arguments in ncp-web
diff --git a/ncp-web/ncp-launcher.php b/ncp-web/ncp-launcher.php
@@ -16,6 +16,11 @@
 $l10nDir = "l10n";
 ignore_user_abort(true);
 
+function bash_escape_arg($arg): string
+{
+  return "'" . str_replace("'", "\\'", $arg) . "'";
+}
+
 //
 // language
 //
@@ -105,7 +110,7 @@
   echo ' "output": "" , ';
   echo ' "ret": ';
 
-  exec( 'bash -c "sudo /home/www/ncp-launcher.sh ' . $ncp_app . '"' , $output , $ret );
+  exec( 'bash -c "sudo /home/www/ncp-launcher.sh ' . bash_escape_arg($ncp_app) . '"' , $output , $ret );
   echo '"' . $ret . '" }';
 }
 
@@ -159,7 +164,7 @@
     exit('{ "output": "domain can\'t be empty", "ret": 1 }');
   }
   echo '{ "token": "' . getCSRFToken() . '",';               // Get new token
-  exec("/usr/bin/php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value '" . $_POST['url'] . "'",
+  exec("/usr/bin/php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value " . bash_escape_arg($_POST['url']),
       $out, $ret);
   echo  ' "out": "' . htmlspecialchars(join("\n", $out), ENT_QUOTES, "UTF-8") . '", ';
   echo  ' "ret": "' . $ret . '"}';
