From ad1ca08de3ae4ca7ca0b0257a93f8dba47669271 Mon Sep 17 00:00:00 2001
From: glaszig <glaszig@gmail.com>
Date: Thu, 27 Feb 2020 23:52:35 +0000
Subject: [PATCH] escape qrencode arguments in multibyte-safe way

---
 app/img/wifi-qr-code.php |  3 ++-
 includes/functions.php   | 14 ++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/app/img/wifi-qr-code.php b/app/img/wifi-qr-code.php
index f99bdcf9..d0be9670 100644
--- a/app/img/wifi-qr-code.php
+++ b/app/img/wifi-qr-code.php
@@ -2,6 +2,7 @@
 
 require_once '../../includes/config.php';
 require_once '../../includes/defaults.php';
+require_once '../../includes/functions.php';
 
 function qr_encode($str)
 {
@@ -34,7 +35,7 @@ $ssid = qr_encode($ssid);
 $password = qr_encode($password);
 
 $data = "WIFI:S:$ssid;T:$type;P:$password;$hidden;";
-$command = "qrencode -t svg -m 0 -o - " . escapeshellarg($data);
+$command = "qrencode -t svg -m 0 -o - " . mb_escapeshellarg($data);
 $svg = shell_exec($command);
 
 $config_mtime  = filemtime(RASPI_HOSTAPD_CONFIG);
diff --git a/includes/functions.php b/includes/functions.php
index 81fed816..b75cf170 100755
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -332,3 +332,17 @@ function cache($key, $callback)
         return $data;
     }
 }
+
+// insspired by
+// http://markushedlund.com/dev/php-escapeshellarg-with-unicodeutf-8-support
+function mb_escapeshellarg($arg)
+{
+    $isWindows = strtolower(substr(PHP_OS, 0, 3)) === 'win';
+    if ($isWindows) {
+        $escaped_arg = str_replace(array('"', '%'), '', $arg);
+    } else {
+        $escaped_arg = str_replace("'", "'\\''", $arg);
+    }
+    return "\"$escaped_arg\"";
+}
+