security: support array arguments in exec_background and __rrd_execute (1.2.x backport)

somethingwithproof · somethingwithproof · commit b3fdce87548d · 2026-03-28T16:05:27.000-07:00
- Accept array $args in exec_background(), auto-escape via cacti_escapeshellarg()
- Accept array $command_line in __rrd_execute(), auto-escape via cacti_escapeshellarg()
- Backward compatible: string arguments still work unchanged

Addresses GHSA-8522-5p3m-754c (High) - Authenticated RCE via Host Variable Injection

Signed-off-by: Thomas Vincent &lt;thomasvincent@gmail.com&gt;
diff --git a/lib/poller.php b/lib/poller.php
@@ -132,6 +132,14 @@ function exec_poll_php($command, $using_proc_function, $pipes, $proc_fd) {
 function exec_background($filename, $args = '', $redirect_args = '') {
 	global $config, $debug;
 
+	if (is_array($args)) {
+		$args = implode(' ', array_map('cacti_escapeshellarg', $args));
+	}
+
+	if (is_array($redirect_args)) {
+		$redirect_args = implode(' ', $redirect_args);
+	}
+
 	cacti_log("DEBUG: About to Spawn a Remote Process [CMD: $filename, ARGS: $args]", true, 'POLLER', ($debug ? POLLER_VERBOSITY_NONE:POLLER_VERBOSITY_DEBUG));
 
 	if (file_exists($filename)) {
diff --git a/lib/rrd.php b/lib/rrd.php
@@ -255,6 +255,10 @@ function rrdtool_execute() {
 function __rrd_execute($command_line, $log_to_stdout, $output_flag, $rrdtool_pipe = false, $logopt = 'WEBLOG') {
 	global $config;
 
+	if (is_array($command_line)) {
+		$command_line = implode(' ', array_map('cacti_escapeshellarg', $command_line));
+	}
+
 	static $last_command;
 
 	if (!is_numeric($output_flag)) {
