From 94d630e1faa8a43c769a79e4fa646a706feb1dee Mon Sep 17 00:00:00 2001
From: Erick Hitter <git-contrib@ethitter.com>
Date: Tue, 26 Sep 2017 14:42:25 -0700
Subject: [PATCH] Check for basic bash operators that would permit wandering
 around the system, amongst other "fun."

---
 includes/functions.php | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/includes/functions.php b/includes/functions.php
index 0a42fec..6ae758f 100644
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -196,6 +196,26 @@ function parse_command( $command ) {
 		return new WP_Error( 'no-command-specified', __( 'No command was provided.', 'wp-cli-cron-control-offload' ) );
 	}
 
+	// Block unsupported wanderings beyond WP-CLI.
+	// See http://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO-3.html, http://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO-4.html.
+	// TODO: provide additive filter?
+	$disallowed_positionals = array(
+		'&',
+		'|',
+		'>',
+		'2>',
+		'1>&2',
+		'2>&1',
+		'&>',
+	);
+
+	$found_disallowed = array_intersect( $positional_args, $disallowed_positionals );
+	if ( ! empty( $found_disallowed ) ) {
+		/* translators: 1: Disallowed character ampersand, 2: Disallowed character pipe, 3: Disallowed character redirect */
+		return new WP_Error( 'invalid-positional-args', sprintf( __( 'Invalid positional arguments, such as "%1$s", "%2$s", or "%3$s", found.', 'wp-cli-cron-control-offload' ), $disallowed_positionals[0], $disallowed_positionals[1], $disallowed_positionals[2] ) );
+	}
+
+	// Success!
 	return compact( 'positional_args', 'assoc_args', 'global_assoc', 'local_assoc' );
 }
 
-- 
GitLab