fix: avoid using escapeshellcmd() by injecting $body via STDIN. not very elegant, but keeps with the spirit of escapeshellcmd()

This commit is contained in:
frederik
2024-02-17 14:45:31 +01:00
parent a10067cc09
commit a3a2ea6dc4
+5 -1
View File
@@ -310,7 +310,11 @@ if(isset($_GET['sendtest']) && $_GET['sendtest'] == "true") {
$body = str_replace("\$overlap", $overlap, $body);
$body = str_replace("\$flickrimage", $exampleimage, $body);
echo "<pre class=\"bash\">".shell_exec($home."/BirdNET-Pi/birdnet/bin/apprise -vv --plugin-path ".$home."/.apprise/plugins "." -t '".escapeshellcmd($title)."' -b '".escapeshellcmd($body)."' ".$attach." ".$cf." ")."</pre>";
$temp = tmpfile();
$tpath = stream_get_meta_data($temp)['uri'];
fwrite($temp, $body);
echo "<pre class=\"bash\">".shell_exec($home."/BirdNET-Pi/birdnet/bin/apprise -vv --plugin-path ".$home."/.apprise/plugins "." -t '".escapeshellcmd($title)."' ".$attach." ".$cf." <".$tpath)."</pre>";
fclose($temp);
die();
}