N°3412 - Command Injection vulnerability in the Setup Wizard - do not use escapeshellcmd before execution in Windows envt

application/utils.inc.php

@@ -2337,4 +2337,12 @@ class utils
 		$e = new CoreException($sMessage, null, '', $oException);
 		throw $e;
 	}
+
+	/**
+	 * @return bool : indicate whether we run under a windows environnement or not
+	 * @since 2.7.4 : N°3412
+	 */
+	public static function IsWindows(){
+		return (substr(PHP_OS,0,3) === 'WIN');
+	}
 }

setup/setuputils.class.inc.php

@@ -566,7 +566,9 @@ class SetupUtils
 					"$sGraphvizPath could not be executed: Please make sure it is installed and in the path");
 			}
 
-			$sGraphvizPath = escapeshellcmd($sGraphvizPath);
+			if (!utils::IsWindows()){
+				$sGraphvizPath = escapeshellcmd($sGraphvizPath);
+			}
 		}
 
 		$sCommand = "\"$sGraphvizPath\" -V 2>&1";

test/setup/SetupUtilsTest.php

@@ -30,7 +30,7 @@ class SetupUtilsTest extends ItopTestCase
 	}
 
 	/**
-	 * @dataProvider CheckGravitzProvider
+	 * @dataProvider CheckGravitProvider
 	 */
 	public function testCheckGravitz($sScriptPath, $iSeverity, $sLabel){
 		/** @var \CheckResult $oCheck */
@@ -39,7 +39,7 @@ class SetupUtilsTest extends ItopTestCase
 		$this->assertContains($sLabel, $oCheck->sLabel);
 	}
 
-	public function CheckGravitzProvider(){
+	public function CheckGravitProvider(){
 		if (substr(PHP_OS,0,3) === 'WIN'){
 			return [];
 		}