From bb877a244be035235834cbd45009867ef913cf60 Mon Sep 17 00:00:00 2001
From: odain <olivier.dain@combodo.com>
Date: Wed, 17 Feb 2021 10:09:39 +0100
Subject: [PATCH] =?UTF-8?q?N=C2=B03412=20-=20Command=20Injection=20vulnera?=
 =?UTF-8?q?bility=20in=20the=20Setup=20Wizard=20-=20do=20not=20use=20escap?=
 =?UTF-8?q?eshellcmd=20before=20execution=20in=20Windows=20envt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/utils.inc.php      | 8 ++++++++
 setup/setuputils.class.inc.php | 4 +++-
 test/setup/SetupUtilsTest.php  | 4 ++--
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/application/utils.inc.php b/application/utils.inc.php
index ec5b43ab5..738971a60 100644
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -2337,4 +2337,12 @@ class utils
 		$e = new CoreException($sMessage, null, '', $oException);
 		throw $e;
 	}
+
+	/**
+	 * @return bool : indicate whether we run under a windows environnement or not
+	 * @since 2.7.4 : N°3412
+	 */
+	public static function IsWindows(){
+		return (substr(PHP_OS,0,3) === 'WIN');
+	}
 }
diff --git a/setup/setuputils.class.inc.php b/setup/setuputils.class.inc.php
index 9413636bc..23f1d8692 100644
--- a/setup/setuputils.class.inc.php
+++ b/setup/setuputils.class.inc.php
@@ -566,7 +566,9 @@ class SetupUtils
 					"$sGraphvizPath could not be executed: Please make sure it is installed and in the path");
 			}
 
-			$sGraphvizPath = escapeshellcmd($sGraphvizPath);
+			if (!utils::IsWindows()){
+				$sGraphvizPath = escapeshellcmd($sGraphvizPath);
+			}
 		}
 
 		$sCommand = "\"$sGraphvizPath\" -V 2>&1";
diff --git a/test/setup/SetupUtilsTest.php b/test/setup/SetupUtilsTest.php
index efa110ec1..14e996a8e 100644
--- a/test/setup/SetupUtilsTest.php
+++ b/test/setup/SetupUtilsTest.php
@@ -30,7 +30,7 @@ class SetupUtilsTest extends ItopTestCase
 	}
 
 	/**
-	 * @dataProvider CheckGravitzProvider
+	 * @dataProvider CheckGravitProvider
 	 */
 	public function testCheckGravitz($sScriptPath, $iSeverity, $sLabel){
 		/** @var \CheckResult $oCheck */
@@ -39,7 +39,7 @@ class SetupUtilsTest extends ItopTestCase
 		$this->assertContains($sLabel, $oCheck->sLabel);
 	}
 
-	public function CheckGravitzProvider(){
+	public function CheckGravitProvider(){
 		if (substr(PHP_OS,0,3) === 'WIN'){
 			return [];
 		}