summaryrefslogtreecommitdiff
path: root/www
diff options
context:
space:
mode:
authorBenny Baumann <BenBE@geshi.org>2014-04-19 00:45:25 +0200
committerBenny Baumann <BenBE@geshi.org>2014-04-19 00:45:25 +0200
commit066a02232fca9338c990a00bb696a6a51f2fd542 (patch)
tree51779f8adbabb9a41171aa7ff6c1147ad2da9245 /www
parent0ea069195e48daced9e92cc919be59a483566c78 (diff)
downloadcacert-devel-066a02232fca9338c990a00bb696a6a51f2fd542.tar.gz
cacert-devel-066a02232fca9338c990a00bb696a6a51f2fd542.tar.xz
cacert-devel-066a02232fca9338c990a00bb696a6a51f2fd542.zip
bug 1272: Properly escape the filename passed to OpenSSL
Diffstat (limited to 'www')
-rw-r--r--www/api/ccsr.php4
1 files changed, 3 insertions, 1 deletions
diff --git a/www/api/ccsr.php b/www/api/ccsr.php
index 7efdf8d..403882f 100644
--- a/www/api/ccsr.php
+++ b/www/api/ccsr.php
@@ -73,7 +73,9 @@ require_once '../../includes/lib/check_weak_key.php';
$fp = fopen($incsr, "w");
fputs($fp, $CSR);
fclose($fp);
- $do = `/usr/bin/openssl req -in $incsr -out $checkedcsr`;
+ $incsr_esc = escapeshellarg($incsr);
+ $checkedcsr_esc = escapeshellarg($checkedcsr);
+ $do = `/usr/bin/openssl req -in $incsr_esc -out $checkedcsr_esc`;
@unlink($incsr);
if(filesize($checkedcsr) <= 0)
die("404,Invalid or missing CSR");