From b6ee5404b9dcc3df6ace5f640f522118d18b818d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Sun, 15 Jun 2014 10:39:04 +0200
Subject: bug 1273: replace backtick operators with shell_exec

+ fix 1 missing escapeshellarg
Commands used to locate:
1.
find includes -type f -name '*.php' -exec cat {} \; \
| tr '\n' '?' | sed 's/\(\$query .\?= \|\
mysql_query(\|query_init (\)"\([^"]\|".\(\(intval\|mysql_real_escape_string\)\
(\$[^\$)]\+)\|\$_SESSION\(\['_config'\]\['user'\]\['Q[1-5]'\]\
\|['_config']['disablelogin']\)\)[ ?]*."\)*"/mysql-substitute/g'\
| tr '?' '\n' |  grep --color=always "\`"|less -r

and reviewing the queries by hand.

This command replaces out strings obviously looking
like sql_queries and then outputting al remaining backticks:

starting with "$query = ,mysql_query, ..."
and are only interrupted by "safe" calls:
- mysql_real_escape_string
- intval
- pre_escaped session variables

(This command may also be used for locating
 bad escaped sql_queries)

2. grep -r "\`\(grep\|/\|echo\|dig\|openssl\|gpg\|rm\|../\)" www includes pages \
| grep -v '\(from\|update\|into\) `gpg'
---
 pages/account/15.php | 2 +-
 pages/account/19.php | 2 +-
 pages/account/23.php | 2 +-
 pages/account/6.php  | 6 +++---
 4 files changed, 6 insertions(+), 6 deletions(-)

(limited to 'pages/account')

diff --git a/pages/account/15.php b/pages/account/15.php
index 6cd3115..405cb44 100644
--- a/pages/account/15.php
+++ b/pages/account/15.php
@@ -30,7 +30,7 @@
 	}
 	$row = mysql_fetch_assoc($res);
         $crtname=escapeshellarg($row['crt_name']);
-	$cert = `/usr/bin/openssl x509 -in $crtname`;
+	$cert = shell_exec("/usr/bin/openssl x509 -in $crtname");
 ?>
 <h3><?=_("Below is your Server Certificate")?></h3>
 <pre>
diff --git a/pages/account/19.php b/pages/account/19.php
index 6a2749c..959111f 100644
--- a/pages/account/19.php
+++ b/pages/account/19.php
@@ -31,7 +31,7 @@
 	}
 	$row = mysql_fetch_assoc($res);
         $crtname=escapeshellarg($row['crt_name']);
-	$cert = `/usr/bin/openssl x509 -in $crtname`;
+	$cert = shell_exec("/usr/bin/openssl x509 -in $crtname");
 
 	if($row['keytype'] == "NS")
 	{
diff --git a/pages/account/23.php b/pages/account/23.php
index 4ec56c3..4255b47 100644
--- a/pages/account/23.php
+++ b/pages/account/23.php
@@ -30,7 +30,7 @@
 	}
 	$row = mysql_fetch_assoc($res);
         $crtname=escapeshellarg($row['crt_name']);
-	$cert = `/usr/bin/openssl x509 -in $crtname`;
+	$cert = shell_exec("/usr/bin/openssl x509 -in $crtname");
 ?>
 <h3><?=_("Below is your Server Certificate")?></h3>
 <pre>
diff --git a/pages/account/6.php b/pages/account/6.php
index 305fccb..de8d1a3 100644
--- a/pages/account/6.php
+++ b/pages/account/6.php
@@ -60,7 +60,7 @@ if (array_key_exists('format', $_REQUEST)) {
 	}
 
 	$crtname=escapeshellarg($row['crt_name']);
-	$cert = `/usr/bin/openssl x509 -in $crtname $outform`;
+	$cert = shell_exec("/usr/bin/openssl x509 -in $crtname $outform");
 
 	header("Content-Type: application/pkix-cert");
 	header("Content-Length: ".strlen($cert));
@@ -82,7 +82,7 @@ if (array_key_exists('format', $_REQUEST)) {
 	} else {
 		// All other browsers
 		$crtname=escapeshellarg($row['crt_name']);
-		$cert = `/usr/bin/openssl x509 -in $crtname -outform DER`;
+		$cert = shell_exec("/usr/bin/openssl x509 -in $crtname -outform DER");
 
 		header("Content-Type: application/x-x509-user-cert");
 		header("Content-Length: ".strlen($cert));
@@ -111,7 +111,7 @@ if (array_key_exists('format', $_REQUEST)) {
 
 	// Allow to directly copy and paste the cert in PEM format
 	$crtname=escapeshellarg($row['crt_name']);
-	$cert = `/usr/bin/openssl x509 -in $crtname -outform PEM`;
+	$cert = shell_exec("/usr/bin/openssl x509 -in $crtname -outform PEM");
 	echo "<pre>$cert</pre>";
 
 	?>
-- 
cgit v1.2.1