calamaris.dat: Move the check before adding shell redirection

Fixes: #13886 - /cgi-bin/logs.cgi/calamaris.dat Multiple Parameters Command Injection
Reported-by: Wade Sparks <wsparks@vulncheck.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/logs.cgi/calamaris.dat b/html/cgi-bin/logs.cgi/calamaris.dat
index 1c8e4b68ec7143188bffcaf96eb593783613f03a..f0ed1c265751e3515939b03dcce9e6674ed7f873 100644 (file)
--- a/html/cgi-bin/logs.cgi/calamaris.dat
+++ b/html/cgi-bin/logs.cgi/calamaris.dat
@@ -166,14 +166,15 @@ if ($reportsettings{'ACTION'} eq $Lang::tr{'calamaris create report'})
                $commandline.=' -s';
        }
 
-       $commandline.=' < /dev/null > /dev/null 2>&1';
-
-       if ($reportsettings{'RUN_BACKGROUND'} eq 'on') { $commandline.=" &"; }
-
        if (!($commandline =~ /^[a-zA-Z0-9-\s]+$/))
        {
                die "Invalid input in\"$commandline\"";
        }
+
+       $commandline.=' < /dev/null > /dev/null 2>&1';
+
+       if ($reportsettings{'RUN_BACKGROUND'} eq 'on') { $commandline.=" &"; }
+
        system("${General::swroot}/proxy/calamaris/bin/mkreport $commandline")
 }