More escaping

- Database name may contain characters which are not shell friendly
- Database password could contain the same
- While we at it there is no harm in escaping generated paths too
- Refactored 2-line system(command)

Signed-off-by: Nigel Kukard <nkukard@lbsd.net>

1 files changed, 6 insertions, 5 deletions

diff --git a/lib/backup/database.rb b/lib/backup/database.rb
index c4fb2e2e159..6ada5bb4ea2 100644
--- a/lib/backup/database.rb
+++ b/lib/backup/database.rb
@@ -1,4 +1,5 @@
 require 'yaml'
+require 'shellwords'
 
 module Backup
   class Database
@@ -13,20 +14,20 @@ module Backup
     def dump
       case config["adapter"]
       when /^mysql/ then
-        system("mysqldump #{mysql_args} #{config['database']} > #{db_file_name}")
+        system("mysqldump #{mysql_args} #{Shellwords.shellescape(config['database'])} > #{Shellwords.shellescape(db_file_name)}")
       when "postgresql" then
         pg_env
-        system("pg_dump #{config['database']} > #{db_file_name}")
+        system("pg_dump #{Shellwords.shellescape(config['database'])} > #{db_file_name}")
       end
     end
 
     def restore
       case config["adapter"]
       when /^mysql/ then
-        system("mysql #{mysql_args} #{config['database']} < #{db_file_name}")
+        system("mysql #{mysql_args} #{Shellwords.shellescape(config['database'])} < #{db_file_name}")
       when "postgresql" then
         pg_env
-        system("psql #{config['database']} -f #{db_file_name}")
+        system("psql #{Shellwords.shellescape(config['database'])} -f #{Shellwords.shellescape(db_file_name)}")
       end
     end
 
@@ -45,7 +46,7 @@ module Backup
         'encoding'  => '--default-character-set',
         'password'  => '--password'
       }
-      args.map { |opt, arg| "#{arg}='#{config[opt]}'" if config[opt] }.compact.join(' ')
+      args.map { |opt, arg| "#{arg}=#{Shellwords.shellescape(config[opt])}" if config[opt] }.compact.join(' ')
     end
 
     def pg_env