diff --git a/datamodels/2.x/itop-backup/dbrestore.class.inc.php b/datamodels/2.x/itop-backup/dbrestore.class.inc.php index ee276811a..e5adbd04b 100644 --- a/datamodels/2.x/itop-backup/dbrestore.class.inc.php +++ b/datamodels/2.x/itop-backup/dbrestore.class.inc.php @@ -53,14 +53,7 @@ class DBRestore extends DBBackup $sUser = self::EscapeShellArg($this->sDBUser); $sPwd = self::EscapeShellArg($this->sDBPwd); $sDBName = self::EscapeShellArg($this->sDBName); - if (empty($this->sMySQLBinDir)) - { - $sMySQLExe = 'mysql'; - } - else - { - $sMySQLExe = '"'.$this->sMySQLBinDir.'/mysql"'; - } + $sMySQLExe = DBBackup::MakeSafeMySQLCommand($this->sMySQLBinDir, 'mysql'); if (is_null($this->iDBPort)) { $sPortOption = ''; diff --git a/datamodels/2.x/itop-backup/status.php b/datamodels/2.x/itop-backup/status.php index 17040e579..d179ba067 100644 --- a/datamodels/2.x/itop-backup/status.php +++ b/datamodels/2.x/itop-backup/status.php @@ -95,12 +95,7 @@ try { // $sMySQLBinDir = MetaModel::GetConfig()->GetModuleSetting('itop-backup', 'mysql_bindir', ''); $sMySQLBinDir = utils::ReadParam('mysql_bindir', $sMySQLBinDir, true); - if (empty($sMySQLBinDir)) { - $sMySQLDump = 'mysqldump'; - } else { - //echo 'Info - Found mysql_bindir: '.$sMySQLBinDir; - $sMySQLDump = '"'.$sMySQLBinDir.'/mysqldump"'; - } + $sMySQLDump = DBBackup::MakeSafeMySQLCommand($sMySQLBinDir, 'mysqldump'); $sCommand = "$sMySQLDump -V 2>&1"; $aOutput = array(); diff --git a/setup/backup.class.inc.php b/setup/backup.class.inc.php index 70923feae..f0f222814 100644 --- a/setup/backup.class.inc.php +++ b/setup/backup.class.inc.php @@ -106,6 +106,8 @@ class DBBackup /** @var string */ protected $sDBName; /** @var string */ + protected $sMySQLBinDir = ''; + /** @var string */ protected $sDBSubName; /** @@ -133,7 +135,6 @@ class DBBackup $this->sDBSubName = $oConfig->get('db_subname'); } - protected $sMySQLBinDir = ''; /** * Create a normalized backup name, depending on the current date/time and Database @@ -362,8 +363,9 @@ class DBBackup } $this->LogInfo("Starting backup of $this->sDBHost/$this->sDBName(suffix:'$this->sDBSubName')"); + $sMySQLBinDir = utils::ReadParam('mysql_bindir', $this->sMySQLBinDir, true); - $sMySQLDump = $this->GetMysqldumpCommand(); + $sMySQLDump = $this->MakeSafeMySQLCommand($sMySQLBinDir, 'mysqldump'); // Store the results in a temporary file $sTmpFileName = self::EscapeShellArg($sBackupFileName); @@ -624,20 +626,22 @@ EOF; /** * @return string the command to launch mysqldump (without its params) + * @throws \BackupException */ - private function GetMysqldumpCommand() + public static function MakeSafeMySQLCommand(string $sMySQLBinDir, string $sCmd) { - $sMySQLBinDir = utils::ReadParam('mysql_bindir', $this->sMySQLBinDir, true); - if (empty($sMySQLBinDir)) - { - $sMysqldumpCommand = 'mysqldump'; + if (empty($sMySQLBinDir)) { + $sMySQLCommand = $sCmd; } - else - { - $sMysqldumpCommand = '"'.$sMySQLBinDir.'/mysqldump"'; + else { + $sMySQLBinDir = escapeshellcmd($sMySQLBinDir); + $sMySQLCommand = '"'.$sMySQLBinDir.'/$sCmd"'; + if (!file_exists($sMySQLCommand)) { + throw new BackupException("$sCmd not found in $sMySQLBinDir"); + } } - return $sMysqldumpCommand; + return $sMySQLCommand; } } diff --git a/setup/setuputils.class.inc.php b/setup/setuputils.class.inc.php index 7a9943d3a..e01f2e49c 100644 --- a/setup/setuputils.class.inc.php +++ b/setup/setuputils.class.inc.php @@ -552,14 +552,15 @@ class SetupUtils if (empty($sMySQLBinDir) && null != MetaModel::GetConfig()) { $sMySQLBinDir = MetaModel::GetConfig()->GetModuleSetting('itop-backup', 'mysql_bindir', ''); } - - if (empty($sMySQLBinDir)) { - $sMySQLDump = 'mysqldump'; - } - else { - $aResult[] = new CheckResult(CheckResult::TRACE, 'Info - Found mysql_bindir: '.$sMySQLBinDir); - $sMySQLDump = '"'.$sMySQLBinDir.'/mysqldump"'; + try { + $sMySQLDump = DBBackup::MakeSafeMySQLCommand($sMySQLBinDir, 'mysqldump'); + } catch (Exception $e) { + $aResult[] = new CheckResult(CheckResult::ERROR, $e->getMessage()); + return $aResult; } + if (!empty($sMySQLBinDir)) { + $aResult[] = new CheckResult(CheckResult::TRACE, 'Info - Found mysql_bindir: '.$sMySQLBinDir); + } $sCommand = "$sMySQLDump -V 2>&1"; $aOutput = array();