MQE-1354: bug fix in command.php

jilu1 · jilu1 · commit b754b185ab1e · 2018-12-03T17:08:28.000-06:00
diff --git a/etc/config/command.php b/etc/config/command.php
@@ -10,7 +10,7 @@
     $password = urldecode($_POST['password']);
     $command = urldecode($_POST['command']);
     if (array_key_exists("arguments", $_POST)) {
-        $arguments = urldecode($_POST['arguments']);
+        $arguments = escapeshellarg(urldecode($_POST['arguments']));
     } else {
         $arguments = null;
     }
@@ -21,7 +21,7 @@
         $valid = validateCommand($magentoBinary, $command);
         if ($valid) {
             exec(
-                escapeCommand($magentoBinary . ' ' . $command) . " $arguments" ." 2>&1",
+                escapeCommand($magentoBinary . " $command" . " $arguments") . " 2>&1",
                 $output,
                 $exitCode
             );
