From 85a8d8fe92480d6a0761f3594d7b0bd7575c1e52 Mon Sep 17 00:00:00 2001
From: Lutz Bender <lutz@lutz-bender.de>
Date: Mon, 5 Feb 2024 08:18:07 +0100
Subject: [PATCH] fix command injection

---
 web/settings/mqttapi.php    | 6 +++---
 web/settings/saveconfig.php | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/web/settings/mqttapi.php b/web/settings/mqttapi.php
index 438cf1ee71..c480d4c6a7 100644
--- a/web/settings/mqttapi.php
+++ b/web/settings/mqttapi.php
@@ -8,7 +8,7 @@
 		$message = $_GET["message"];
 		# check if topic is allowed to write
 		if(strpos($topic, "/set/") !== false){
-			$command = "mosquitto_pub -h localhost -t '$topic' -m '$message' 2>&1";
+			$command = "mosquitto_pub -h localhost -t " . escapeshellarg($topic) . " -m " . escapeshellarg($message) . " 2>&1";
 			$output = exec($command);
 			# Skip an annoying warning because it doesn't cause any problems
 			$output = str_replace("Warning: Unable to locate configuration directory, default config not loaded.", "", $output);
@@ -29,7 +29,7 @@
 	}
 	# reading topic
 	else{
-		$command = "mosquitto_sub -h localhost -t '$topic' -C 1 -W 1 2>&1";
+		$command = "mosquitto_sub -h localhost -t " . escapeshellarg($topic) . " -C 1 -W 1 2>&1";
 		$output = exec($command);
 		# Skip an annoying warning because it doesn't cause any problems
 		$output = str_replace("Warning: Unable to locate configuration directory, default config not loaded.", "", $output);
@@ -48,4 +48,4 @@
 	http_response_code(400);
 	echo "Error: No 'topic' field provided. \nExample reading a MQTT-Topic: 'http://IP/openWB/web/settings/mqttapi.php?topic=openWB/pv/W' \nExample writing a MQTT-Topic: 'http://IP/openWB/web/settings/mqttapi.php?topic=openWB/set/pv/1/W&message=-1000' ";
 }
-?>
\ No newline at end of file
+?>
diff --git a/web/settings/saveconfig.php b/web/settings/saveconfig.php
index ad4fda97cd..dd9d40456d 100644
--- a/web/settings/saveconfig.php
+++ b/web/settings/saveconfig.php
@@ -142,8 +142,8 @@
 		if( array_key_exists( 'etprovideraktiv', $_POST ) && ($_POST['etprovideraktiv'] == 1) ){ ?>
 			<script>$('#feedbackdiv').append("<br>Update des Stromtarifanbieters gestartet.");</script>
 			<?php
-			exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . $_POST['etprovider'] . "/main.sh >> /var/log/openWB.log 2>&1 &" );
-			exec( 'mosquitto_pub -t openWB/global/ETProvider/modulePath -r -m "' . $_POST['etprovider'] . '"' );
+			exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . escapeshellcmd($_POST['etprovider']) . "/main.sh >> /var/log/openWB.log 2>&1 &" );
+			exec( 'mosquitto_pub -t openWB/global/ETProvider/modulePath -r -m "' . escapeshellarg($_POST['etprovider']) . '"' );
 		}
 
 		// start ev-soc updates if in POST data
@@ -151,13 +151,13 @@
 			<script>$('#feedbackdiv').append("<br>Update SoC-Modul an Ladepunkt 1 gestartet.");</script>
 			<?php
 			file_put_contents($_SERVER['DOCUMENT_ROOT'].'/openWB/ramdisk/soctimer', "20005");
-			exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . $_POST['socmodul'] . "/main.sh > /dev/null &" );
+			exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . escapeshellcmd($_POST['socmodul']) . "/main.sh > /dev/null &" );
 		}
 		if( array_key_exists( 'socmodul1', $_POST ) && ($_POST['socmodul1'] != 'none') ){ ?>
 			<script>$('#feedbackdiv').append("<br>Update SoC-Modul an Ladepunkt 2 gestartet.");</script>
 			<?php
 			file_put_contents($_SERVER['DOCUMENT_ROOT'].'/openWB/ramdisk/soctimer1', "20005");
-			exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . $_POST['socmodul1'] . "/main.sh > /dev/null &" );
+			exec( $_SERVER['DOCUMENT_ROOT'] . "/openWB/modules/" . escapeshellcmd($_POST['socmodul1']) . "/main.sh > /dev/null &" );
 		}
 
 		// check for rfid mode and start/stop handler