From b325d3a7d4c1ff7338ce8e70fad8c6eef929e337 Mon Sep 17 00:00:00 2001
From: Kevin Kozan <kkozan@magento.com>
Date: Thu, 13 Jun 2019 10:18:48 -0500
Subject: [PATCH] MQE-1510

---
 etc/config/command.php | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/etc/config/command.php b/etc/config/command.php
index 047af324a..9de9e31c7 100644
--- a/etc/config/command.php
+++ b/etc/config/command.php
@@ -11,9 +11,9 @@
     $magentoObjectManager = $magentoObjectManagerFactory->create($_SERVER);
     $tokenModel = $magentoObjectManager->get(\Magento\Integration\Model\Oauth\Token::class);
 
-    $tokenPassedIn = urldecode($_POST['token']);
-    $command = urldecode($_POST['command']);
-    $arguments = urldecode($_POST['arguments']);
+    $tokenPassedIn = urldecode($_POST['token'] ?? "");
+    $command = urldecode($_POST['command'] ?? "");
+    $arguments = urldecode($_POST['arguments'] ?? "");
 
     // Token returned will be null if the token we passed in is invalid
     $tokenFromMagento = $tokenModel->loadByToken($tokenPassedIn)->getToken();
@@ -22,7 +22,12 @@
         $magentoBinary = $php . ' -f ../../../../bin/magento';
         $valid = validateCommand($magentoBinary, $command);
         if ($valid) {
-            $process = new Symfony\Component\Process\Process($magentoBinary . " $command" . " $arguments");
+            // Turn string into array for symfony escaping
+            $commandParts = array_filter(explode(" ", $command));
+            $argumentParts = array_filter(explode(" ", $arguments));
+            $magentoBinaryParts = array_filter(explode(" ", $magentoBinary));
+            $commandArray = array_merge($magentoBinaryParts, $commandParts);
+            $process = new Symfony\Component\Process\Process($commandArray);
             $process->setIdleTimeout(60);
             $process->setTimeout(0);
             $idleTimeout = false;