hardening: move to argument array pattern for shell execution (#6854)

Author: somethingwithproof

lib/poller.php

@@ -119,9 +119,17 @@ function exec_poll_php(string $command, bool $using_proc_function, array $pipes,
  *
  * @return void
  */
-function exec_background(string $filename, string $args = '', string $redirect_args = '') : void {
+function exec_background(string $filename, string|array $args = '', string|array $redirect_args = '') : void {
 	global $debug;
 
+	if (is_array($args)) {
+		$args = implode(' ', array_map('cacti_escapeshellarg', $args));
+	}
+
+	if (is_array($redirect_args)) {
+		$redirect_args = implode(' ', $redirect_args); // redirect args should not be shell escaped generally as they contain > etc
+	}
+
 	cacti_log("DEBUG: About to Spawn a Remote Process [CMD: $filename, ARGS: $args]", true, 'POLLER', ($debug ? POLLER_VERBOSITY_NONE : POLLER_VERBOSITY_DEBUG));
 
 	if ($filename != '') {

lib/rrd.php

@@ -305,9 +305,13 @@ function rrdtool_execute() : mixed {
 	return call_user_func_array($function, $args);
 }
 
-function __rrd_execute(string $command_line, bool $log_to_stdout, int $output_flag = RRDTOOL_OUTPUT_STDOUT, mixed $rrdtool_pipe = null, string $logopt = 'WEBLOG') : mixed {
+function __rrd_execute(string|array $command_line, bool $log_to_stdout, int $output_flag = RRDTOOL_OUTPUT_STDOUT, mixed $rrdtool_pipe = null, string $logopt = 'WEBLOG') : mixed {
 	static $last_command;
 
+	if (is_array($command_line)) {
+		$command_line = implode(' ', array_map('cacti_escapeshellarg', $command_line));
+	}
+
 	/**
 	 * WIN32: before sending this command off to rrdtool, get rid
 	 * of all of the backslash (\) characters. Unix does not care; win32 does.

tests/Unit/ArgArrayHardeningTest.php

@@ -0,0 +1,40 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ |                                                                         |
+ | This program is free software; you can redistribute it and/or           |
+ | modify it under the terms of the GNU General Public License             |
+ | as published by the Free Software Foundation; either version 2          |
+ | of the License, or (at your option) any later version.                  |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+require_once dirname(__DIR__) . '/Helpers/CactiStubs.php';
+
+// Mock cacti_escapeshellarg if it doesn't exist in testing env
+if (!function_exists('cacti_escapeshellarg')) {
+	function cacti_escapeshellarg($arg) {
+		return "'" . str_replace("'", "'\\''", $arg) . "'";
+	}
+}
+
+test('__rrd_execute correctly handles array of arguments', function () {
+	$args = ['graph', '-', '--start', '12345; id'];
+	
+	// Simulated logic from __rrd_execute
+	$command_line = implode(' ', array_map('cacti_escapeshellarg', $args));
+	
+	expect($command_line)->toBe("'graph' '-' '--start' '12345; id'");
+});
+
+test('exec_background correctly handles array of arguments', function () {
+	$args = ['--poller=1', '--network=192.168.1.0/24; id'];
+	
+	// Simulated logic from exec_background
+	$args_string = implode(' ', array_map('cacti_escapeshellarg', $args));
+	
+	expect($args_string)->toBe("'--poller=1' '--network=192.168.1.0/24; id'");
+});