From 1fabc481690e008279113e18d0642c5279e3b56e Mon Sep 17 00:00:00 2001
From: billz <billzimmerman@gmail.com>
Date: Fri, 17 Feb 2023 19:05:36 +0100
Subject: [PATCH] Sanitize post data w/ escapeshellcmd()

---
 ajax/logging/clearlog.php         | 2 +-
 ajax/openvpn/activate_ovpncfg.php | 2 +-
 ajax/openvpn/del_ovpncfg.php      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ajax/logging/clearlog.php b/ajax/logging/clearlog.php
index eff4338c..a5c67385 100644
--- a/ajax/logging/clearlog.php
+++ b/ajax/logging/clearlog.php
@@ -5,7 +5,7 @@ require_once '../../includes/config.php';
 require_once '../../includes/functions.php';
 
 if (isset($_POST['logfile'])) {
-    $logfile = $_POST['logfile'];
+    $logfile = escapeshellcmd($_POST['logfile']);
 
     // truncate requested log file
     exec("sudo truncate -s 0 $logfile", $return);
diff --git a/ajax/openvpn/activate_ovpncfg.php b/ajax/openvpn/activate_ovpncfg.php
index 8856c363..06cff8b9 100644
--- a/ajax/openvpn/activate_ovpncfg.php
+++ b/ajax/openvpn/activate_ovpncfg.php
@@ -5,7 +5,7 @@ require_once '../../includes/config.php';
 require_once '../../includes/functions.php';
 
 if (isset($_POST['cfg_id'])) {
-    $ovpncfg_id = $_POST['cfg_id'];
+    $ovpncfg_id = escapeshellcmd($_POST['cfg_id']);
     $ovpncfg_client = RASPI_OPENVPN_CLIENT_PATH.$ovpncfg_id.'_client.conf';
     $ovpncfg_login = RASPI_OPENVPN_CLIENT_PATH.$ovpncfg_id.'_login.conf';
 
diff --git a/ajax/openvpn/del_ovpncfg.php b/ajax/openvpn/del_ovpncfg.php
index 914f1431..26e0a6c0 100644
--- a/ajax/openvpn/del_ovpncfg.php
+++ b/ajax/openvpn/del_ovpncfg.php
@@ -5,7 +5,7 @@ require_once '../../includes/config.php';
 require_once '../../includes/functions.php';
 
 if (isset($_POST['cfg_id'])) {
-    $ovpncfg_id = $_POST['cfg_id'];
+    $ovpncfg_id = escapeshellcmd($_POST['cfg_id']);
     $ovpncfg_files = pathinfo(RASPI_OPENVPN_CLIENT_LOGIN, PATHINFO_DIRNAME).'/'.$ovpncfg_id.'_*.conf';
     exec("sudo rm $ovpncfg_files", $return);
     $jsonData = ['return'=>$return];