Snoopy: use escapeshellarg instead of escapeshellcmd

We are escaping arguments, not commands, so we'd better use the semantically correct function, even though they are similar. Merges [37094] to the 4.1 branch. Built from https://develop.svn.wordpress.org/branches/4.1@37098 git-svn-id: http://core.svn.wordpress.org/branches/4.1@37065 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-30 14:10:23 +00:00 · 2016-03-30 14:10:23 +00:00 · 63bde8f97e
parent 7df345b1cc
commit 63bde8f97e
1 changed files with 12 additions and 9 deletions
--- a/wp-includes/class-snoopy.php
+++ b/wp-includes/class-snoopy.php
@ -999,20 +999,23 @@ class Snoopy
 		if(!empty($this->user) || !empty($this->pass))
 			$headers[] = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass);
-		for($curr_header = 0; $curr_header < count($headers); $curr_header++) {
+		$headerfile = tempnam( $this->temp_dir, "sno" );
-			$safer_header = strtr( $headers[$curr_header], "\"", " " );
+		$cmdline_params = '-k -D ' . escapeshellarg( $headerfile );
-			$cmdline_params .= " -H \"".$safer_header."\"";
+
 		foreach ( $headers as $header ) {
 			$cmdline_params .= ' -H ' . escapeshellarg( $header );
 		}
-		if(!empty($body))
+		if ( ! empty( $body ) ) {
-			$cmdline_params .= " -d \"$body\"";
+			$cmdline_params .= ' -d ' . escapeshellarg( $body );
 		}
-		if($this->read_timeout > 0)
+		if ( $this->read_timeout > 0 ) {
-			$cmdline_params .= " -m ".$this->read_timeout;
+			$cmdline_params .= ' -m ' . escapeshellarg( $this->read_timeout );
 		}
 		$headerfile = tempnam($this->temp_dir, "sno");
-		exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return);
+		exec( $this->curl_path . ' ' . $cmdline_params . ' ' . escapeshellarg( $URI ), $results, $return );
 		if($return)
 		{