Fix to quotemeta when generating certs

https://github.com/virtualmin/virtualmin-gpl/issues/363#issuecomment-1026438307
2026-02-03 06:03:28 +00:00 · 2022-02-02 01:08:27 +03:00
parent 4f9cba0b33
commit 323e789c16
2 changed files with 6 additions and 5 deletions
--- a/usermin/newkey.cgi
+++ b/usermin/newkey.cgi
@@ -32,7 +32,7 @@ $ctemp = &transname();
 $ktemp = &transname();
 $outtemp = &transname();
 $size = $in{'size_def'} ? $default_key_size : $in{'size'};
-&open_execute_command(CA, "$cmd req -newkey rsa:$size -x509 -nodes -out $ctemp -keyout $ktemp -days $in{'days'} >$outtemp 2>&1", 0);
+&open_execute_command(CA, "$cmd req -newkey rsa:$size -x509 -nodes -out ".quotemeta($ctemp)." -keyout ".quotemeta($ktemp)." -days $in{'days'} >".quotemeta($outtemp)." 2>&1", 0);
 print CA ($in{'countryName'} || "."),"\n";
 print CA ($in{'stateOrProvinceName'} || "."),"\n";
 print CA ($in{'cityName'} || "."),"\n";
@@ -42,7 +42,8 @@ print CA ($in{'commonName_def'} ? "*" : $in{'commonName'}),"\n";
 print CA ($in{'emailAddress'} || "."),"\n";
 close(CA);
 $rv = $?;
-$out = `cat $outtemp`;
+$qouttemp = quotemeta($outtemp);
+$out = `cat $qouttemp`;
 &unlink_file($outtemp);
 if (!-r $ctemp || !-r $ktemp || $?) {
 	print "<p>$text{'newkey_essl'}<br>\n";
@@ -51,7 +52,7 @@ if (!-r $ctemp || !-r $ktemp || $?) {
 	exit;
 	}
 &lock_file($in{'newfile'});
-&execute_command("cat $ctemp $ktemp 2>&1 >'$in{'newfile'}'", undef, \$catout);
+&execute_command("cat ".quotemeta($ctemp)." ".quotemeta($ktemp)." 2>&1 >'$in{'newfile'}'", undef, \$catout);
 &unlink_file($ctemp);
 &unlink_file($ktemp);
 if ($catout || $?) {
--- a/webmin/webmin-lib.pl
+++ b/webmin/webmin-lib.pl
@@ -2021,9 +2021,9 @@ my $subject = &build_ssl_subject($in{'countryName'},
 				 $in{'emailAddress'});
 my $conf = &build_ssl_config(\@cns);
 my $out = &backquote_logged(
-	"$cmd req -newkey rsa:$size -x509 -sha256 -nodes -out $ctemp -keyout $ktemp ".
+	"$cmd req -newkey rsa:$size -x509 -sha256 -nodes -out ".quotemeta($ctemp)." -keyout ".quotemeta($ktemp)." ".
 	"-days ".quotemeta($in{'days'})." -subj ".quotemeta($subject)." ".
-	"-config $conf -reqexts v3_req -utf8 2>&1");
+	"-config ".quotemeta($conf)." -reqexts v3_req -utf8 2>&1");
 if (!-r $ctemp || !-r $ktemp || $?) {
 	return $text{'newkey_essl'}."<br>"."<pre>".&html_escape($out)."</pre>";
 	}