From 18d41b038911a527b901b49c90b4a1cb2c539cc3 Mon Sep 17 00:00:00 2001
From: Daniel Cebrian <daniel.cebrian@pandorafms.com>
Date: Thu, 25 Apr 2024 17:05:42 +0200
Subject: [PATCH 1/2] #13534 fixed js injection

---
 pandora_server/util/pandora_manage.pl | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pandora_server/util/pandora_manage.pl b/pandora_server/util/pandora_manage.pl
index 31b977cf51..5b721bd0fc 100755
--- a/pandora_server/util/pandora_manage.pl
+++ b/pandora_server/util/pandora_manage.pl
@@ -6191,7 +6191,7 @@ sub cli_create_group() {
 				eval {
 					$group_id_nodo = db_insert ($dbh_metaconsole, 'id_grupo', 'INSERT INTO tgrupo (id_grupo, nombre, icon, parent, propagate, disabled,
 							custom_id, id_skin, description) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)', $group_name, safe_input($group_name), $icon, 
-							$parent_group_id, 0, 0, '', 0, $description);
+							$parent_group_id, 0, 0, '', 0, safe_input($description));
 				};
 				if ($@) {
 					print_log "[ERROR] Problems with IDS and doesn't created group\n\n";
@@ -6293,15 +6293,15 @@ sub cli_update_group() {
 					
 				if(defined($icon)){
 					if(defined($description)){
-						db_do ($dbh,'UPDATE tgrupo SET nombre=? , parent=? , icon=? , description=? WHERE id_grupo=?',$group_name,$parent_group_id,$icon,$description,$group_id);
+						db_do ($dbh,'UPDATE tgrupo SET nombre=? , parent=? , icon=? , description=? WHERE id_grupo=?',safe_input($group_name),$parent_group_id,$icon, safe_input($description) ,$group_id);
 					}else{
-						db_do ($dbh,'UPDATE tgrupo SET nombre=? , parent=? , icon=? WHERE id_grupo=?',$group_name,$parent_group_id,$icon,$group_id);
+						db_do ($dbh,'UPDATE tgrupo SET nombre=? , parent=? , icon=? WHERE id_grupo=?',safe_input($group_name),$parent_group_id,$icon,$group_id);
 					}
 				}else{
-					db_do ($dbh,'UPDATE tgrupo SET nombre=? , parent=? WHERE id_grupo=?',$group_name,$parent_group_id,$group_id);
+					db_do ($dbh,'UPDATE tgrupo SET nombre=? , parent=? WHERE id_grupo=?',safe_input($group_name),$parent_group_id,$group_id);
 				}
 			}else{
-				db_do ($dbh,'UPDATE tgrupo SET nombre=? WHERE id_grupo=?',$group_name,$group_id);
+				db_do ($dbh,'UPDATE tgrupo SET nombre=? WHERE id_grupo=?',safe_input($group_name),$group_id);
 			}
 			print_log "[INFO] Updated group '$group_id'\n\n";
 		}

From 86db699cd315b83e97aaef0ef979c415407f7faa Mon Sep 17 00:00:00 2001
From: Daniel Cebrian <daniel.cebrian@pandorafms.com>
Date: Mon, 29 Apr 2024 09:20:15 +0200
Subject: [PATCH 2/2] #13534 fixed sql injection in cli

---
 pandora_server/util/pandora_manage.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pandora_server/util/pandora_manage.pl b/pandora_server/util/pandora_manage.pl
index 5b721bd0fc..6ef84cbc43 100755
--- a/pandora_server/util/pandora_manage.pl
+++ b/pandora_server/util/pandora_manage.pl
@@ -6166,7 +6166,7 @@ sub cli_create_group() {
 	$icon = '' unless defined($icon);
 	$description = '' unless defined($description);
 
-	$group_id = pandora_create_group ($group_name, $icon, $parent_group_id, 0, 0, '', 0, $description, $dbh);
+	$group_id = pandora_create_group ($group_name, $icon, $parent_group_id, 0, 0, '', 0, safe_input($description), $dbh);
 	
 	if($group_id == -1) {
 		print_log "[ERROR] A problem has been ocurred creating group '$group_name'\n\n";