Escape the shell arguments in order to prevent shell_exec access to requests (!19) · Merge requests · public / Unc Inc Drupal React Frontend

Christiaan requested to merge hotfix/escapeshellarg into master Jul 12, 2021

Proof of concept:

curl --user ldapuser:ldappasswd "https://staging.uncinc.nl/\$\{IFS\}\`touch\$\{IFS\}/tmp/testfile\`\\"

This should fix the issues by single quoting the result and escaping any single quotes in the string, making it a single safe shell argument.

Escape the shell arguments in order to prevent shell_exec access to requests