calamaris.dat: Fixes bug 13886

Fixes: bug 13886 - calamaris.dat Multiple Parameters Command Injection
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/logs.cgi/calamaris.dat b/html/cgi-bin/logs.cgi/calamaris.dat
index dcc812e4793d17eee8bc40129a1d8f158d3aff3f..1c8e4b68ec7143188bffcaf96eb593783613f03a 100644 (file)
--- a/html/cgi-bin/logs.cgi/calamaris.dat
+++ b/html/cgi-bin/logs.cgi/calamaris.dat
@@ -170,6 +170,10 @@ if ($reportsettings{'ACTION'} eq $Lang::tr{'calamaris create report'})
 
        if ($reportsettings{'RUN_BACKGROUND'} eq 'on') { $commandline.=" &"; }
 
+       if (!($commandline =~ /^[a-zA-Z0-9-\s]+$/))
+       {
+               die "Invalid input in\"$commandline\"";
+       }
        system("${General::swroot}/proxy/calamaris/bin/mkreport $commandline")
 }