ZoneMinder
/
zoneminder
mirror of https://github.com/ZoneMinder/zoneminder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add quotes around dbUser and dbPass to prevent command injection

pull/3804/head
Isaac Connor 2024-01-02 14:00:34 -05:00
parent b39445d5c5
commit 42a284d9ac
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
scripts/zmcamtool.pl.in
View File

@ -103,7 +103,9 @@ GetOptions(
) or pod2usage(-exitstatus => -1); ) or pod2usage(-exitstatus => -1);
$Config{ZM_DB_USER} = $dbUser; $Config{ZM_DB_USER} = $dbUser;
$dbUser =~ s/'/\\'/g;
$Config{ZM_DB_PASS} = $dbPass; $Config{ZM_DB_PASS} = $dbPass;
$dbPass =~ s/'/\\'/g;
if ( $version ) { if ( $version ) {
print( ZoneMinder::Base::ZM_VERSION . "\n"); print( ZoneMinder::Base::ZM_VERSION . "\n");
@ -345,9 +347,9 @@ sub exportsql {
my $command = 'mysqldump -t --skip-opt --compact -h'.$host; my $command = 'mysqldump -t --skip-opt --compact -h'.$host;
$command .= ' -P'.$port if defined($port); $command .= ' -P'.$port if defined($port);
if ( $dbUser ) { if ( $dbUser ) {
$command .= ' -u'.$dbUser; $command .= ' -u\''.$dbUser.'\'';
if ( $dbPass ) { if ( $dbPass ) {
$command .= ' -p'.$dbPass; $command .= ' -p\''.$dbPass.'\'';
} }
} }