hardening: move to argument array pattern for shell execution (backport to 1.2.x)

somethingwithproof · somethingwithproof · commit e9d6a2d6ee48 · 2026-03-20T00:55:38.000-07:00
Signed-off-by: Thomas Vincent &lt;thomasvincent@gmail.com&gt;
diff --git a/lib/poller.php b/lib/poller.php
@@ -130,7 +130,15 @@ function exec_poll_php($command, $using_proc_function, $pipes, $proc_fd) {
  * @return (void)
  */
 function exec_background($filename, $args = '', $redirect_args = '') {
-	global $config, $debug;
+	global $debug;
+
+	if (is_array($args)) {
+		$args = implode(' ', array_map('cacti_escapeshellarg', $args));
+	}
+
+	if (is_array($redirect_args)) {
+		$redirect_args = implode(' ', $redirect_args);
+	}
 
 	cacti_log("DEBUG: About to Spawn a Remote Process [CMD: $filename, ARGS: $args]", true, 'POLLER', ($debug ? POLLER_VERBOSITY_NONE:POLLER_VERBOSITY_DEBUG));
 
diff --git a/lib/rrd.php b/lib/rrd.php
@@ -255,6 +255,10 @@ function rrdtool_execute() {
 function __rrd_execute($command_line, $log_to_stdout, $output_flag, $rrdtool_pipe = false, $logopt = 'WEBLOG') {
 	global $config;
 
+	if (is_array($command_line)) {
+		$command_line = implode(' ', array_map('cacti_escapeshellarg', $command_line));
+	}
+
 	static $last_command;
 
 	if (!is_numeric($output_flag)) {
diff --git a/tests/Unit/ArgArrayHardeningTest.php b/tests/Unit/ArgArrayHardeningTest.php
@@ -0,0 +1,40 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ |                                                                         |
+ | This program is free software; you can redistribute it and/or           |
+ | modify it under the terms of the GNU General Public License             |
+ | as published by the Free Software Foundation; either version 2          |
+ | of the License, or (at your option) any later version.                  |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+require_once dirname(__DIR__) . '/Helpers/CactiStubs.php';
+
+// Mock cacti_escapeshellarg if it doesn't exist in testing env
+if (!function_exists('cacti_escapeshellarg')) {
+	function cacti_escapeshellarg($arg) {
+		return "'" . str_replace("'", "'\\''", $arg) . "'";
+	}
+}
+
+test('__rrd_execute correctly handles array of arguments', function () {
+	$args = array('graph', '-', '--start', '12345; id');
+	
+	// Simulated logic from __rrd_execute
+	$command_line = implode(' ', array_map('cacti_escapeshellarg', $args));
+	
+	expect($command_line)->toBe("'graph' '-' '--start' '12345; id'");
+});
+
+test('exec_background correctly handles array of arguments', function () {
+	$args = array('--poller=1', '--network=192.168.1.0/24; id');
+	
+	// Simulated logic from exec_background
+	$args_string = implode(' ', array_map('cacti_escapeshellarg', $args));
+	
+	expect($args_string)->toBe("'--poller=1' '--network=192.168.1.0/24; id'");
+});
