diff options
| author | Benny Baumann <BenBE@geshi.org> | 2014-04-19 00:45:25 +0200 |
|---|---|---|
| committer | Benny Baumann <BenBE@geshi.org> | 2014-04-19 00:45:25 +0200 |
| commit | 066a02232fca9338c990a00bb696a6a51f2fd542 (patch) | |
| tree | 51779f8adbabb9a41171aa7ff6c1147ad2da9245 /www | |
| parent | 0ea069195e48daced9e92cc919be59a483566c78 (diff) | |
| download | cacert-devel-066a02232fca9338c990a00bb696a6a51f2fd542.tar.gz cacert-devel-066a02232fca9338c990a00bb696a6a51f2fd542.tar.xz cacert-devel-066a02232fca9338c990a00bb696a6a51f2fd542.zip | |
bug 1272: Properly escape the filename passed to OpenSSL
Diffstat (limited to 'www')
| -rw-r--r-- | www/api/ccsr.php | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/www/api/ccsr.php b/www/api/ccsr.php index 7efdf8d..403882f 100644 --- a/www/api/ccsr.php +++ b/www/api/ccsr.php @@ -73,7 +73,9 @@ require_once '../../includes/lib/check_weak_key.php'; $fp = fopen($incsr, "w"); fputs($fp, $CSR); fclose($fp); - $do = `/usr/bin/openssl req -in $incsr -out $checkedcsr`; + $incsr_esc = escapeshellarg($incsr); + $checkedcsr_esc = escapeshellarg($checkedcsr); + $do = `/usr/bin/openssl req -in $incsr_esc -out $checkedcsr_esc`; @unlink($incsr); if(filesize($checkedcsr) <= 0) die("404,Invalid or missing CSR"); |