MAGETWO-42038: RCE/DOS via cron.php

safwkhan · safwkhan · commit b2bc4d05afb6 · 2015-10-08T17:16:31.000-05:00
- Fixed security issue related to possible execution of shell commands or ShellShock.
diff --git a/pub/cron.php b/pub/cron.php
@@ -23,6 +23,9 @@
     if (empty($opt['group'])) {
         $opt['group'] = 'default';
     }
+    foreach ($opt as $key => $value) {
+        $opt[$key] = escapeshellarg($value);
+    }
     $opt['standaloneProcessStarted'] = '0';
     $params = $_SERVER;
     $params[StoreManager::PARAM_RUN_CODE] = 'admin';
