fix!: fix bug where single quotes are escaped in CLI process (adding:…

… %27) changed to more secure PHP escapeshellarg
renderpci · May 13, 2024 · 238b847 · 238b847
1 parent 559e76a
commit 238b847
Showing 1 changed file with 1 addition and 6 deletions.
diff --git a/core/common/class.exec_.php b/core/common/class.exec_.php
@@ -315,11 +315,6 @@ public static function request_cli(object $options) : object {
 			foreach ($params as $key => $value) {
 				$safe_params->{$key} = safe_xss($value);
 			}
-			$safe_params_string = json_encode($safe_params);
-			// replace single quotes by the URL encoding value %27
-			$safe_params_string = str_replace("'", '%27', $safe_params_string);
-			// restore object safe_params after escape it
-			$safe_params = json_decode($safe_params_string);
 
 		// server_vars
 			// sh_data mandatory vars
@@ -346,7 +341,7 @@ public static function request_cli(object $options) : object {
 			$process_runner	= DEDALO_CORE_PATH . '/base/process_runner.php';
 
 		// command composition
-			$cmd		= PHP_BIN_PATH . " $process_runner '$server_vars' ";
+			$cmd		= PHP_BIN_PATH . " $process_runner " . escapeshellarg($server_vars);
 			$command	= "nohup nice -n 19 $cmd >$file_path 2>&1 & echo $!";
 
 			// debug