Merge pull request #404 from jaredhendrickson13/next_patch

jaredhendrickson13 · web-flow · commit 09fbe9b8dba5 · 2023-10-05T19:02:10.000-06:00
v1.6.4 Fixes
diff --git a/pfSense-pkg-API/files/usr/local/share/pfSense-pkg-API/manage.php b/pfSense-pkg-API/files/usr/local/share/pfSense-pkg-API/manage.php
@@ -102,7 +102,7 @@ function revert($version) {
     if($headers && strpos($headers[0], '302')) {
         echo "done.".PHP_EOL;
         echo shell_exec("/usr/sbin/pkg delete -y pfSense-pkg-API");
-        echo shell_exec("/usr/sbin/pkg -C /dev/null add ".$url);
+        echo shell_exec("/usr/sbin/pkg -C /dev/null add " . escapeshellarg($url));
         echo shell_exec("/etc/rc.restart_webgui");
     } else {
         echo "no package found.".PHP_EOL;
diff --git a/pfSense-pkg-API/files/usr/local/www/api/update/index.php b/pfSense-pkg-API/files/usr/local/www/api/update/index.php
@@ -59,7 +59,7 @@
 # On update POST, start the update process
 if ($_POST["update"] and !empty($_POST["version"])) {
     # Start the update process in the background and print notice
-    shell_exec("nohup pfsense-api revert ".$_POST["version"]." > /dev/null &");
+    shell_exec("nohup pfsense-api revert ".escapeshellarg($_POST["version"])." > /dev/null &");
     print_apply_result_box(0, "\nAPI update process has started and is running in the background. Check back in a few minutes.");
 }
 

Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@`
`59`	`59`	`# On update POST, start the update process`
`60`	`60`	`if ($_POST["update"] and !empty($_POST["version"])) {`
`61`	`61`	`# Start the update process in the background and print notice`
`62`		`- shell_exec("nohup pfsense-api revert ".$_POST["version"]." > /dev/null &");`
	`62`	`+ shell_exec("nohup pfsense-api revert ".escapeshellarg($_POST["version"])." > /dev/null &");`
`63`	`63`	`print_apply_result_box(0, "\nAPI update process has started and is running in the background. Check back in a few minutes.");`
`64`	`64`	`}`
`65`	`65`