Fix remote execution bug where email address can contain malicious code

also convert almost all cmd execs for certificates to properly escape arguments
2025-08-23 01:10:23 +00:00 · 2025-08-20 09:53:13 +10:00
parent 54d463ac36
commit 8c9d2745e2
9 changed files with 305 additions and 222 deletions
--- a/backend/lib/utils.js
+++ b/backend/lib/utils.js
@@ -29,15 +29,19 @@ module.exports = {
 	/**
 	 * @param   {String} cmd
 	 * @param   {Array}  args
+	 * @param   {Object|undefined}  options
 	 * @returns {Promise}
 	 */
-	execFile: (cmd, args) => {
-		// logger.debug('CMD: ' + cmd + ' ' + (args ? args.join(' ') : ''));
+	execFile: (cmd, args, options) => {
+		logger.debug(`CMD: ${cmd} ${args ? args.join(' ') : ''}`);
+		if (typeof options === 'undefined') {
+			options = {};
+		}

 		return new Promise((resolve, reject) => {
-			execFile(cmd, args, (err, stdout, /*stderr*/) => {
+			execFile(cmd, args, options, (err, stdout, stderr) => {
 				if (err && typeof err === 'object') {
-					reject(err);
+					reject(new error.CommandError(stderr, 1, err));
 				} else {
 					resolve(stdout.trim());
 				}