From 8d55453ef458ef28faa567dfcf94ef079c4359b8 Mon Sep 17 00:00:00 2001 From: Nikolay Bachiyski Date: Wed, 30 Mar 2016 13:57:40 +0000 Subject: [PATCH] Snoopy: use escapeshellarg instead of escapeshellcmd We are escaping arguments, not commands, so we'd better use the semantically correct function, even though they are similar. git-svn-id: https://develop.svn.wordpress.org/trunk@37094 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/class-snoopy.php | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/src/wp-includes/class-snoopy.php b/src/wp-includes/class-snoopy.php index e08e732157..7b3940669f 100644 --- a/src/wp-includes/class-snoopy.php +++ b/src/wp-includes/class-snoopy.php @@ -999,20 +999,23 @@ class Snoopy if(!empty($this->user) || !empty($this->pass)) $headers[] = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass); - for($curr_header = 0; $curr_header < count($headers); $curr_header++) { - $safer_header = strtr( $headers[$curr_header], "\"", " " ); - $cmdline_params .= " -H \"".$safer_header."\""; + $headerfile = tempnam( $this->temp_dir, "sno" ); + $cmdline_params = '-k -D ' . escapeshellarg( $headerfile ); + + foreach ( $headers as $header ) { + $cmdline_params .= ' -H ' . escapeshellarg( $header ); } - if(!empty($body)) - $cmdline_params .= " -d \"$body\""; + if ( ! empty( $body ) ) { + $cmdline_params .= ' -d ' . escapeshellarg( $body ); + } - if($this->read_timeout > 0) - $cmdline_params .= " -m ".$this->read_timeout; + if ( $this->read_timeout > 0 ) { + $cmdline_params .= ' -m ' . escapeshellarg( $this->read_timeout ); + } - $headerfile = tempnam($this->temp_dir, "sno"); - exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return); + exec( $this->curl_path . ' ' . $cmdline_params . ' ' . escapeshellarg( $URI ), $results, $return ); if($return) {