From a6d33362121a6781428a969abdf9ab8a361dfd6d Mon Sep 17 00:00:00 2001
From: glaszig <glaszig@gmail.com>
Date: Tue, 30 Jul 2019 20:51:48 +0200
Subject: [PATCH] fix command injection issue. fixes #354.

---
 includes/dhcp.php    | 2 +-
 includes/hostapd.php | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/includes/dhcp.php b/includes/dhcp.php
index 60793029..ec85419f 100755
--- a/includes/dhcp.php
+++ b/includes/dhcp.php
@@ -48,7 +48,7 @@ function DisplayDHCPConfig()
                 }
 
                 $config .= $_POST['RangeLeaseTimeUnits'];
-                exec('echo "'.$config.'" > /tmp/dhcpddata', $temp);
+                file_put_contents("/tmp/dhcpddata", $config);
                 system('sudo cp /tmp/dhcpddata '.RASPI_DNSMASQ_CONFIG, $return);
             } else {
                 $status->addMessage($errors, 'danger');
diff --git a/includes/hostapd.php b/includes/hostapd.php
index 0f167b68..96426b5c 100755
--- a/includes/hostapd.php
+++ b/includes/hostapd.php
@@ -638,7 +638,7 @@ function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $status)
         $config.= 'country_code='.$_POST['country_code'].PHP_EOL;
         $config.= 'ignore_broadcast_ssid='.$ignore_broadcast_ssid.PHP_EOL;
 
-        exec('echo "'.$config.'" > /tmp/hostapddata', $temp);
+        file_put_contents("/tmp/hostapddata", $config);
         system("sudo cp /tmp/hostapddata " . RASPI_HOSTAPD_CONFIG, $return);
 
         if ($wifiAPEnable == 1) {
@@ -655,7 +655,7 @@ function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $status)
             $config.= 'interface='.$_POST['interface'].PHP_EOL;
             $config.= 'dhcp-range=10.3.141.50,10.3.141.255,255.255.255.0,12h'.PHP_EOL;
         }
-        exec('echo "'.$config.'" > /tmp/dhcpddata', $temp);
+        file_put_contents("/tmp/dhcpddata", $config);
         system('sudo cp /tmp/dhcpddata '.RASPI_DNSMASQ_CONFIG, $return);
 
         if ($wifiAPEnable == 1) {
@@ -682,7 +682,7 @@ function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $status)
             $config.= 'static routers=10.3.141.1'.PHP_EOL;
             $config.= 'static domain_name_server=1.1.1.1 8.8.8.8'.PHP_EOL;
         }
-        exec('echo "'.$config.'" > /tmp/dhcpddata', $temp);
+        file_put_contents("/tmp/dhcpddata", $config);
         system('sudo cp /tmp/dhcpddata '.RASPI_DHCPCD_CONFIG, $return);