From 31eb2180944af65acda9313e830d03444e1e01ae Mon Sep 17 00:00:00 2001
From: iliajie <gpg@ilia.engineer>
Date: Tue, 28 Feb 2023 20:36:39 +0200
Subject: [PATCH] Fix to always use `quotemeta`

---
 filemin/setfacl.cgi | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/filemin/setfacl.cgi b/filemin/setfacl.cgi
index 80f3c818e..8aaca74cb 100755
--- a/filemin/setfacl.cgi
+++ b/filemin/setfacl.cgi
@@ -43,13 +43,16 @@ error($text{'acls_error'}) if (!$cmd);
 # Params are not accepted in clear mode
 my $types;
 if ($action ne '-b' && $action ne '-k') {
-    $types = join(',',@types) if (@types);
-    $types .= " $extra" if ($extra);
+    $types = quotemeta(join(',',@types)) if (@types);
+    if ($extra) {
+        my @extra = split(/\s+/, $extra);
+        @extra = map { quotemeta($_) } @extra;
+        $types .= " ".join(' ', @extra) ;
+        }
     }
-my $args = "$action $types $recursive";
+my $args = quotemeta($action)." ".$types." ".quotemeta($recursive);
 $args =~ s/\s+/ /g;
 $args = &trim($args);
-$args =~ s/[\`\$\;\/\'\"\?\%\&\#\*\(\)\+]//g;
 foreach my $file (@files) {
     my $qfile = quotemeta("$path/$file");
     next if (!-r "$path/$file");