From 3092a796c138c0b8b22563b68dd21d8e5e1c37e8 Mon Sep 17 00:00:00 2001
From: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu, 25 Sep 2025 13:12:46 +0200
Subject: [PATCH] calamaris.dat: Fixes bug 13886

Fixes: bug 13886 - calamaris.dat Multiple Parameters Command Injection
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/logs.cgi/calamaris.dat | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/html/cgi-bin/logs.cgi/calamaris.dat b/html/cgi-bin/logs.cgi/calamaris.dat
index dcc812e47..1c8e4b68e 100644
--- a/html/cgi-bin/logs.cgi/calamaris.dat
+++ b/html/cgi-bin/logs.cgi/calamaris.dat
@@ -170,6 +170,10 @@ if ($reportsettings{'ACTION'} eq $Lang::tr{'calamaris create report'})
 
 	if ($reportsettings{'RUN_BACKGROUND'} eq 'on') { $commandline.=" &"; }
 
+	if (!($commandline =~ /^[a-zA-Z0-9-\s]+$/))
+	{
+		die "Invalid input in\"$commandline\"";
+	}
 	system("${General::swroot}/proxy/calamaris/bin/mkreport $commandline")
 }
 
-- 
2.47.3