Merge branch 'ent-5436-Vulnerabilidad' into 'develop'

fix bug when saving netflow filters

See merge request artica/pandorafms!3064

pandora_console/include/functions_netflow.php

@@ -903,7 +903,7 @@ function netflow_get_command($filter)
  *
  * @return string Command line argument string.
  */
-function netflow_get_filter_arguments($filter)
+function netflow_get_filter_arguments($filter, $safe_input=false)
 {
     // Advanced filter.
     $filter_args = '';
@@ -1015,7 +1015,7 @@ function netflow_get_filter_arguments($filter)
     }
 
     if ($filter_args != '') {
-        $filter_args = escapeshellarg($filter_args);
+        $filter_args = ($safe_input === true) ? io_safe_input(escapeshellarg($filter_args)) : escapeshellarg($filter_args);
     }
 
     return $filter_args;
@@ -1673,7 +1673,7 @@ function netflow_get_top_data(
     // Get the command to call nfdump.
     $agg_command = sprintf(
         '%s -q -o csv -n %s -s %s/bytes -t %s-%s',
-        netflow_get_command($filter),
+        io_safe_output(netflow_get_command($filter)),
         $max,
         $aggregate,
         date($nfdump_date_format, $start_date),

pandora_console/operation/netflow/nf_live_view.php

@@ -154,7 +154,7 @@ if (!is_metaconsole()) {
 // Save user defined filter.
 if ($save != '' && check_acl($config['id_user'], 0, 'AW')) {
     // Save filter args.
-    $filter['filter_args'] = netflow_get_filter_arguments($filter);
+    $filter['filter_args'] = netflow_get_filter_arguments($filter, true);
 
     $filter_id = db_process_sql_insert('tnetflow_filter', $filter);
     if ($filter_id === false) {
@@ -171,7 +171,7 @@ if ($save != '' && check_acl($config['id_user'], 0, 'AW')) {
     unset($filter_copy['id_group']);
 
     // Save filter args.
-    $filter_copy['filter_args'] = netflow_get_filter_arguments($filter_copy);
+    $filter_copy['filter_args'] = netflow_get_filter_arguments($filter_copy, true);
 
     $result = db_process_sql_update(
         'tnetflow_filter',