From 19c55e29bf06d05e1ab3e6c81fb7276809f0a123 Mon Sep 17 00:00:00 2001
From: Greg Hormann <ghormann@gmail.com>
Date: Sun, 27 Jun 2021 15:19:45 -0400
Subject: [PATCH] Add validation to Branch name before switching Related to
 https://www.huntr.dev/bounties/29-other-FalconChristmas/fpp/

---
 scripts/git_branch   | 6 ++++++
 www/changebranch.php | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/scripts/git_branch b/scripts/git_branch
index 10c86a120..0877be76b 100755
--- a/scripts/git_branch
+++ b/scripts/git_branch
@@ -15,6 +15,12 @@ teeOutput
 
 echo "$0 running to switch branches to $1"
 
+CNT=`cd ${FPPDIR} && git show-ref | grep "refs/remotes/origin" | grep -i $1 | wc -l`
+if [ $CNT -eq 0 ]; then
+	echo "Invalid Branch Name: $1"
+	exit 1
+fi
+
 echo "Stopping fppd"
 ${SUDO} ${FPPDIR}/scripts/fppd_stop
 
diff --git a/www/changebranch.php b/www/changebranch.php
index 28f95960b..3b1b7ba37 100644
--- a/www/changebranch.php
+++ b/www/changebranch.php
@@ -19,7 +19,7 @@
 <?php
     echo "==================================================================================\n";
 
-    $branch = escapeshellcmd($_GET['branch']);
+    $branch = escapeshellcmd(htmlspecialchars($_GET['branch']));
 	$command = "sudo /opt/fpp/scripts/git_branch " . $branch . " 2>&1";
 
 	echo "Command: $command\n";