From f73bdcb72fc77c5ea4a7e5c5af716784eff5337d Mon Sep 17 00:00:00 2001
From: thomas <9033-thomas@users.noreply.git.laquadrature.net>
Date: Sun, 19 Dec 2021 23:59:17 +0100
Subject: [PATCH] Escape parameters used in external commands in the Perso
 controller

The risk of command injection is negligible now that the identifier is
verified to be present in the database, but better be safe in regard to
future changes.
---
 app/controller/perso.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controller/perso.php b/app/controller/perso.php
index 92a7e29..97e90a5 100644
--- a/app/controller/perso.php
+++ b/app/controller/perso.php
@@ -390,7 +390,7 @@ class Perso extends Controller
         $db = $f3->get('DB');
         $id = $params['id'];
         $command = "pdftk ";
-        $args = " ../www/receipt.pdf fill_form ../tmp/".$id.".xfdf output ../tmp/".$id.".pdf flatten dont_ask";
+        $args = " ../www/receipt.pdf fill_form ../tmp/".escapeshellarg($id).".xfdf output ../tmp/".escapeshellarg($id).".pdf flatten dont_ask";
         $logger->write($command . " " .$args);
 
         // Vérification que le don appartient bien à l'utilisateur connecté
-- 
GitLab