From fd6cd41a95f39273a1d9d4042ad5c7f4df0ad75a Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri, 10 Oct 2025 19:28:33 +0000
Subject: [PATCH] calamaris.dat: Fixes bug 13886

commit 7dca07fdcf018320bc10eb4d5fcd019dd1a7029a
Author: Adolf Belka <adolf.belka@ipfire.org>
Date:   Thu Sep 25 13:12:46 2025 +0200

    calamaris.dat: Fixes bug 13886

    Fixes: bug 13886 - calamaris.dat Multiple Parameters Command Injection
    Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 html/cgi-bin/logs.cgi/calamaris.dat | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/html/cgi-bin/logs.cgi/calamaris.dat b/html/cgi-bin/logs.cgi/calamaris.dat
index dcc812e47..1c8e4b68e 100644
--- a/html/cgi-bin/logs.cgi/calamaris.dat
+++ b/html/cgi-bin/logs.cgi/calamaris.dat
@@ -170,6 +170,10 @@ if ($reportsettings{'ACTION'} eq $Lang::tr{'calamaris create report'})
 
 	if ($reportsettings{'RUN_BACKGROUND'} eq 'on') { $commandline.=" &"; }
 
+	if (!($commandline =~ /^[a-zA-Z0-9-\s]+$/))
+	{
+		die "Invalid input in\"$commandline\"";
+	}
 	system("${General::swroot}/proxy/calamaris/bin/mkreport $commandline")
 }