Fixed problem with script parameter they wasn't escaped.

git-svn-id: https://oss.gonicus.de/repositories/gosa/trunk@19466 594d385d-05f5-0310-b6e9-bd551577e9d8

diff --git a/gosa-core/include/class_plugin.inc b/gosa-core/include/class_plugin.inc
index ba5c715c72d8504c21f5a1e96a026576399a1f80..6b87896596548b7dcc295b806e7206caf7a2b61e 100644 (file)
--- a/gosa-core/include/class_plugin.inc
+++ b/gosa-core/include/class_plugin.inc
@@ -1630,7 +1630,7 @@ class plugin
           if(!is_string($value) && !is_int($value) && !is_float($value) && !is_bool($value)){
             continue;
           }
-          $command= preg_replace("/%$name/", $value, $command);
+          $command= preg_replace("/%$name/", escapeshellarg($value), $command);
         }
       }
 

diff --git a/gosa-core/include/functions.inc b/gosa-core/include/functions.inc
index 9ac8c77550bf725d9bed74e1259781ef758b4abb..f592449fd76cc3cf418a27389dc6d2a8c0172c8f 100644 (file)
--- a/gosa-core/include/functions.inc
+++ b/gosa-core/include/functions.inc
@@ -3099,8 +3099,8 @@ function change_password ($dn, $password, $mode=0, $hash= "")
 
       if ($command != ""){
         /* Walk through attribute list */
-        $command= preg_replace("/%userPassword/", $password, $command);
-        $command= preg_replace("/%dn/", $dn, $command);
+        $command= preg_replace("/%userPassword/", escapeshellarg($password), $command);
+        $command= preg_replace("/%dn/", escapeshellarg($dn), $command);
 
         if (check_command($command)){
           @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execute");