From 7e1ff9580def37d98a6358cfc0af56c3184a4ff0 Mon Sep 17 00:00:00 2001
From: Michael Save <savetheinternet@tinyboard.org>
Date: Tue, 20 Mar 2012 03:43:57 +1100
Subject: [PATCH] escapeshellarg() for auto-upgrade unzip

---
 mod.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mod.php b/mod.php
index 1226a0db..cedceb26 100644
--- a/mod.php
+++ b/mod.php
@@ -369,7 +369,7 @@
 			
 			// For some reason, reading the ZIP entries in PHP doesn't seem to work very well.
 			// Use shell instead.
-			shell_exec('TEMP_DIR=$(mktemp -d); unzip -q "' . $temp . '" -d $TEMP_DIR -x "' . $dir . 'inc/instance-config.php"; mv -v $TEMP_DIR/' . $dir . '* "' . getcwd() . '"; rm -rf $TEMP_DIR');
+			shell_exec('TEMP_DIR=$(mktemp -d); unzip -q ' . escapeshellarg($temp) . ' -d $TEMP_DIR -x "' . escapeshellarg($dir) . 'inc/instance-config.php"; mv -v $TEMP_DIR/' . escapeshellarg($dir) . '* "' . getcwd() . '"; rm -rf $TEMP_DIR');
 			
 			unlink($temp);