Skip to content

Commit

Permalink
Merge pull request #35 from sitegeist/bugfix/escapePasswordProperly
Browse files Browse the repository at this point in the history
BUGFIX: Correct escaping of password arguments via shell
  • Loading branch information
mficzel authored Sep 11, 2019
2 parents abef3fc + 908d168 commit 119bed9
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 4 deletions.
4 changes: 4 additions & 0 deletions Classes/Command/CloneCommandController.php
Original file line number Diff line number Diff line change
Expand Up @@ -209,8 +209,12 @@ protected function cloneRemoteHost(

$this->addSecret($this->databaseConfiguration['user']);
$this->addSecret($this->databaseConfiguration['password']);
$this->addSecret(escapeshellcmd($this->databaseConfiguration['password']));
$this->addSecret(escapeshellarg(escapeshellcmd($this->databaseConfiguration['password'])));
$this->addSecret($remotePersistenceConfiguration['user']);
$this->addSecret($remotePersistenceConfiguration['password']);
$this->addSecret(escapeshellcmd($remotePersistenceConfiguration['password']));
$this->addSecret(escapeshellarg(escapeshellcmd($remotePersistenceConfiguration['password'])));

#######################
# Check Configuration #
Expand Down
8 changes: 4 additions & 4 deletions Classes/DBAL/SimpleDBAL.php
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,9 @@ class SimpleDBAL {
public function buildCmd(string $driver, ?string $host, int $port, string $username, string $password, string $database): string
{
if ($driver === 'pdo_mysql') {
return sprintf('mysql --host=%s --port=%s --user=%s --password=\'"\'"%s"\'"\'', escapeshellarg($host), escapeshellarg($port), escapeshellarg($username), escapeshellarg($password), escapeshellarg($database));
return sprintf('mysql --host=%s --port=%s --user=%s --password=%s %s', escapeshellarg($host), escapeshellarg($port), escapeshellarg($username), escapeshellarg(escapeshellcmd($password)), escapeshellarg($database));
} else if ($driver === 'pdo_pgsql') {
return sprintf('PGOPTIONS=--client-min-messages=warning PGPASSWORD=\'"\'"%s"\'"\' psql --quiet --host=%s --port=%s --username=%s --dbname=%s', escapeshellarg($password), escapeshellarg($host), escapeshellarg($port), escapeshellarg($username), escapeshellarg($database));
return sprintf('PGOPTIONS=--client-min-messages=warning PGPASSWORD=%s psql --quiet --host=%s --port=%s --username=%s --dbname=%s', escapeshellarg(escapeshellcmd($password)), escapeshellarg($host), escapeshellarg($port), escapeshellarg($username), escapeshellarg($database));
}
}

Expand All @@ -40,9 +40,9 @@ public function buildCmd(string $driver, ?string $host, int $port, string $usern
public function buildDumpCmd(string $driver, ?string $host, int $port, string $username, string $password, string $database): string
{
if ($driver === 'pdo_mysql') {
return sprintf('mysqldump --single-transaction --add-drop-table --host=%s --port=%d --user=%s --password=\'"\'"%s"\'"\' %s', escapeshellarg($host), escapeshellarg($port), escapeshellarg($username), escapeshellarg($password), escapeshellarg($database));
return sprintf('mysqldump --single-transaction --add-drop-table --host=%s --port=%d --user=%s --password=%s %s', escapeshellarg($host), escapeshellarg($port), escapeshellarg($username), escapeshellarg(escapeshellcmd($password)), escapeshellarg($database));
} else if ($driver === 'pdo_pgsql') {
return sprintf('PGPASSWORD=\'"\'"%s"\'"\' pg_dump --host=%s --port=%s --username=%s --dbname=%s --schema=public --no-owner --no-privileges', escapeshellarg($password), escapeshellarg($host), escapeshellarg($port), escapeshellarg($username), escapeshellarg($database));
return sprintf('PGPASSWORD=%s pg_dump --host=%s --port=%s --username=%s --dbname=%s --schema=public --no-owner --no-privileges', escapeshellarg(escapeshellcmd($password)), escapeshellarg($host), escapeshellarg($port), escapeshellarg($username), escapeshellarg($database));
}
}

Expand Down

0 comments on commit 119bed9

Please sign in to comment.