Escape parameters used in external commands in the Perso controller

The risk of command injection is negligible now that the identifier is verified to be present in the database, but better be safe in regard to future changes.

Escape parameters used in external commands in the Perso controller
The risk of command injection is negligible now that the identifier is verified to be present in the database, but better be safe in regard to future changes.
f73bdcb7 · thomas · 6516c8a3 · f73bdcb7
Commit f73bdcb7 authored Dec 19, 2021 by thomas
--- a/app/controller/perso.php
+++ b/app/controller/perso.php
@@ -390,7 +390,7 @@ class Perso extends Controller
        $db = $f3->get('DB');
        $id = $params['id'];
        $command = "pdftk ";
-        $args = " ../www/receipt.pdf fill_form ../tmp/".$id.".xfdf output ../tmp/".$id.".pdf flatten dont_ask";
+        $args = " ../www/receipt.pdf fill_form ../tmp/".escapeshellarg($id).".xfdf output ../tmp/".escapeshellarg($id).".pdf flatten dont_ask";
        $logger->write($command . " " .$args);

        // Vérification que le don appartient bien à l'utilisateur connecté