From a3a2ea6dc4cf4be129eca74b3435e6e8116a0408 Mon Sep 17 00:00:00 2001 From: frederik Date: Sat, 17 Feb 2024 14:45:31 +0100 Subject: [PATCH] fix: avoid using escapeshellcmd() by injecting $body via STDIN. not very elegant, but keeps with the spirit of escapeshellcmd() --- scripts/config.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/config.php b/scripts/config.php index 68b7c06..08c3af7 100644 --- a/scripts/config.php +++ b/scripts/config.php @@ -310,7 +310,11 @@ if(isset($_GET['sendtest']) && $_GET['sendtest'] == "true") { $body = str_replace("\$overlap", $overlap, $body); $body = str_replace("\$flickrimage", $exampleimage, $body); - echo "
".shell_exec($home."/BirdNET-Pi/birdnet/bin/apprise -vv --plugin-path ".$home."/.apprise/plugins "." -t '".escapeshellcmd($title)."' -b '".escapeshellcmd($body)."' ".$attach." ".$cf." ")."
"; + $temp = tmpfile(); + $tpath = stream_get_meta_data($temp)['uri']; + fwrite($temp, $body); + echo "
".shell_exec($home."/BirdNET-Pi/birdnet/bin/apprise -vv --plugin-path ".$home."/.apprise/plugins "." -t '".escapeshellcmd($title)."' ".$attach." ".$cf." <".$tpath)."
"; + fclose($temp); die(); }