diff --git a/website/index.php b/website/index.php index 21eb0b6..3359f10 100644 --- a/website/index.php +++ b/website/index.php @@ -12,7 +12,7 @@ See .
diff --git a/website/websocket.php b/website/websocket.php index ea20dca..5db94ac 100644 --- a/website/websocket.php +++ b/website/websocket.php @@ -92,10 +92,8 @@ class MyProcess implements MessageComponentInterface public function onMessage(ConnectionInterface $from, $msg) { - // As we are going to use this argument in a shell command, we verify a limited set of characters that are safe once quoted. - if (preg_match("/^[a-zA-Z0-9-_ ]+$/", $msg) !== 1) { - return; - } + // As we are going to use this argument in a shell command, we escape it. + $msg = escapeshellarg($msg); $client = $this->clients->offsetGet($from); // If a previous request was received, we execute the new one with another client for simplicity otherwise with current file deletion approach, we can't tell the worker `search.py` that we don't care about its execution anymore. if ($client->pid !== null) { @@ -109,7 +107,7 @@ class MyProcess implements MessageComponentInterface file_put_contents($clientFilePath, ''); // Start the independent worker. // Redirecting `stdout` is mandatory otherwise `exec` is blocking. - $client->pid = exec("./search.py $clientId '$msg' > /dev/null & echo $!"); + $client->pid = exec("./search.py $clientId $msg > /dev/null & echo $!"); // `addTimer` doesn't enable us to use independently `$from->send` multiple times with blocking instructions between. $client->timer = $this->loop->addPeriodicTimer(1, function () use ($from, $clientId, $clientFilePath, $client) { echo "Checking news from $clientId\n";