security: escape Graphviz exec args & validate DBSearch::unserialize …

core/dbsearch.class.php

@@ -560,12 +560,22 @@ public function serialize($bDevelopParams = false, $aContextParams = array())
 	static public function unserialize($sValue)
 	{
 		$aData = json_decode(urldecode($sValue), true);
-		if (is_null($aData))
-		{
+		if (!is_array($aData) || count($aData) < 2) {
 			throw new CoreException("Invalid filter parameter");
 		}
+
+		// Basic type checks to avoid unexpected structures coming from the request
+		if (!isset($aData[0]) || !is_string($aData[0])) {
+			throw new CoreException("Invalid filter parameter: missing or invalid OQL string");
+		}
 		$sOql = $aData[0];
-		$aParams = $aData[1];
+
+		// Prevent extremely large payloads from being processed
+		if (strlen($sOql) > 20000) {
+			throw new CoreException("Invalid filter parameter: OQL too long");
+		}
+
+		$aParams = is_array($aData[1]) ? $aData[1] : array();
 		$aExtraParams = array();
 		foreach($aParams as $sParam => $sValue)
 		{

pages/graphviz.php

@@ -127,9 +127,17 @@ function GraphvizLifecycle($sClass)
 	@fwrite($rFile, $sDotDescription);
 	@fclose($rFile);
 	$aOutput = array();
-	$CommandLine = "\"$sDotExecutable\" -v -Tsvg < \"$sDotFilePath\" -o \"$sImageFilePath\" 2>&1";
-
-	exec($CommandLine, $aOutput, $iRetCode);
+
+	// Build command with escaped arguments to avoid shell injection.
+	// Use the dot executable with input and output file arguments instead of shell redirection.
+	$escapedDot = escapeshellarg($sDotExecutable);
+	$escapedDotInput = escapeshellarg($sDotFilePath);
+	$escapedDotOutput = escapeshellarg($sImageFilePath);
+
+	$CommandLine = $escapedDot.' -v -Tsvg '.$escapedDotInput.' -o '.$escapedDotOutput;
+
+	// exec will capture stdout; redirect stderr to stdout so we get full output in $aOutput
+	exec($CommandLine . ' 2>&1', $aOutput, $iRetCode);
 	if ($iRetCode != 0)
 	{
 		header('Content-type: text/html');