Added escapeshellargs for security reasons

[gosa.git] / gosa-core / include / functions.inc

diff --git a/gosa-core/include/functions.inc b/gosa-core/include/functions.inc
index 9a06ea1c1e47aa6fed77ac3d5a09eaa38035d541..f2e0a911188473df929eb75268d8d6f0b92cd0e3 100644 (file)
--- a/gosa-core/include/functions.inc
+++ b/gosa-core/include/functions.inc
@@ -2676,7 +2676,7 @@ function get_base_from_hook($dn, $attrib)
     $command= $config->get_cfg_value("baseIdHook");
 
     if ($command != ""){
-      $command.= " '".LDAP::fix($dn)."' $attrib";
+      $command.= " ".escapeshellarg(LDAP::fix($dn))." ".escapeshellarg($attrib);
       if (check_command($command)){
         @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execute");
         exec($command, $output);
@@ -3059,8 +3059,8 @@ function change_password ($dn, $password, $mode=0, $hash= "")
 
       if ($command != ""){
         /* Walk through attribute list */
-        $command= preg_replace("/%userPassword/", $password, $command);
-        $command= preg_replace("/%dn/", $dn, $command);
+        $command= preg_replace("/%userPassword/", escapeshellarg($password), $command);
+        $command= preg_replace("/%dn/", escapeshellarg($dn), $command);
 
         if (check_command($command)){
           @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execute");