Commit f73bdcb7 authored by thomas's avatar thomas
Browse files

Escape parameters used in external commands in the Perso controller

The risk of command injection is negligible now that the identifier is
verified to be present in the database, but better be safe in regard to
future changes.
parent 6516c8a3
......@@ -390,7 +390,7 @@ class Perso extends Controller
$db = $f3->get('DB');
$id = $params['id'];
$command = "pdftk ";
$args = " ../www/receipt.pdf fill_form ../tmp/".$id.".xfdf output ../tmp/".$id.".pdf flatten dont_ask";
$args = " ../www/receipt.pdf fill_form ../tmp/".escapeshellarg($id).".xfdf output ../tmp/".escapeshellarg($id).".pdf flatten dont_ask";
$logger->write($command . " " .$args);
// Vérification que le don appartient bien à l'utilisateur connecté
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment