composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°3412 - Command Injection vulnerability in the Setup Wizard

Browse Source
This commit is contained in:
odain
2021-02-15 18:36:27 +01:00
parent 0b95220d1b
commit 905ee19519
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
setup/setuputils.class.inc.php
View File

@@ -554,6 +554,12 @@ class SetupUtils
$aResult[] = new CheckResult(CheckResult::ERROR, "The PHP exec() function has been disabled on this server");
}
$sEscapedGraphvizPath = \escapeshellarg($sGraphvizPath);
if (!is_file($sEscapedGraphvizPath) || ! is_executable($sEscapedGraphvizPath)){
//N°3412 avoid shell injection
return new CheckResult(CheckResult::WARNING, "$sGraphvizPath could not be executed: Please make sure it is installed and in the path");
}
// availability of dot / dot.exe
if (empty($sGraphvizPath))
{