diff --git a/controllers/internals/Command.php b/controllers/internals/Command.php index 38fa70a..1f2d9a9 100644 --- a/controllers/internals/Command.php +++ b/controllers/internals/Command.php @@ -78,6 +78,11 @@ namespace controllers\internals; */ public function analyze_and_process (int $id_user, string $message) { + if (!ENABLE_COMMAND) + { + return false; + } + $extracted_command = []; $decode_message = json_decode(trim($message), true); @@ -127,7 +132,13 @@ namespace controllers\internals; $decode_message['password'] = '******'; $updated_text = json_encode($decode_message); - $generated_command = PWD_SCRIPTS . '/' . $find_command['script']; + $script = $find_command['script']; + while (str_replace('..', '', $script) !== $script) + { + $script = str_replace('..', '', $script); + } + + $generated_command = PWD_SCRIPTS . '/' . escapeshellarg($script); $args = $decode_message['args'] ?? ''; $generated_command .= ' ' . escapeshellcmd($args); diff --git a/controllers/publics/Command.php b/controllers/publics/Command.php index 0c475f5..c3cf06a 100644 --- a/controllers/publics/Command.php +++ b/controllers/publics/Command.php @@ -27,6 +27,14 @@ namespace controllers\publics; $this->internal_event = new \controllers\internals\Event($bdd); \controllers\internals\Tool::verifyconnect(); + + if (!ENABLE_COMMAND) + { + \FlashMessage\FlashMessage::push('danger', 'Les commandes sont désactivées.'); + $this->redirect(\descartes\Router::url('Dashboard', 'show')); + + exit(0); + } } /** diff --git a/templates/incs/nav.php b/templates/incs/nav.php index 0535bca..f7d7e3e 100644 --- a/templates/incs/nav.php +++ b/templates/incs/nav.php @@ -80,9 +80,11 @@ -
  • > - Commandes -
    • + +
  • > + Commandes +
    • +
  • > Webhooks