Mitigate CVE-2023-23596 by changing child_process.exec to child_process.execFile

Author: skarlcf

backend/internal/access-list.js

@@ -507,7 +507,7 @@ const internalAccessList = {
 								if (typeof item.password !== 'undefined' && item.password.length) {
 									logger.info('Adding: ' + item.username);
 
-									utils.exec('/usr/bin/htpasswd -b "' + htpasswd_file + '" "' + item.username + '" "' + item.password + '"')
+									utils.execFile('/usr/bin/htpasswd',['-b', htpasswd_file, item.username, item.password])
 										.then((/*result*/) => {
 											next();
 										})

backend/lib/utils.js

@@ -1,4 +1,5 @@
 const exec = require('child_process').exec;
+const execFile = require('child_process').execFile;
 
 module.exports = {
 
@@ -16,5 +17,21 @@ module.exports = {
 				}
 			});
 		});
+	},
+
+	/**
+	 * @param   {Array} cmd
+	 * @returns {Promise}
+	 */
+	execFile: function (cmd) {
+		return new Promise((resolve, reject) => {
+			execFile(cmd, function (err, stdout, /*stderr*/) {
+				if (err && typeof err === 'object') {
+					reject(err);
+				} else {
+					resolve(stdout.trim());
+				}
+			});
+		});
 	}
 };