- Invalid XFS quota argument, fixes #4257

- Added missing shell escaping

server/plugins-available/apache2_plugin.inc.php

@@ -890,10 +890,10 @@ class apache2_plugin {
 			$primitive_root = $df_output[1];
 
 			if($file_system == 'xfs') {
-			exec("xfs_quota -x -c 'limit -u bsoft=$mb_soft" . 'm'. " bhard=$mb_hard" . 'm'. " $username' $primitive_root");
+				exec("xfs_quota -x -c " . escapeshellarg("limit -u bsoft=$mb_soft" . 'm'. " bhard=$mb_hard" . 'm'. " " . $data['new']['system_group']) . " " . escapeshellarg($primitive_root));
 
 				// xfs only supports timers globally, not per user.
-            exec("xfs_quota -x -c 'timer -bir -i 604800' $primitive_root");
+				exec("xfs_quota -x -c 'timer -bir -i 604800' " . escapeshellarg($primitive_root));
 
 				unset($project_uid, $username_position, $xfs_projects);
 				unset($primitive_root, $df_output, $mb_hard, $mb_soft);

server/plugins-available/nginx_plugin.inc.php

@@ -743,15 +743,15 @@ class nginx_plugin {
 			}
 
 			// get the primitive folder for document_root and the filesystem, will need it later.
-          $df_output=explode(" ", exec("df -T $document_root|awk 'END{print \$2,\$NF}'"));
+			$df_output=explode(" ", exec("df -T " . escapeshellarg($data['new']['document_root']) . "|awk 'END{print \$2,\$NF}'"));
 			$file_system = $df_output[0];
 			$primitive_root = $df_output[1];
 
 			if($file_system == 'xfs') {
-			exec("xfs_quota -x -c 'limit -u bsoft=$mb_soft" . 'm'. " bhard=$mb_hard" . 'm'. " $username' $primitive_root");
+				exec("xfs_quota -x -c " . escapeshellarg("limit -u bsoft=$mb_soft" . 'm'. " bhard=$mb_hard" . 'm'. " " . $data['new']['system_group']) . " " . escapeshellarg($primitive_root));
 
 				// xfs only supports timers globally, not per user.
-            exec("xfs_quota -x -c 'timer -bir -i 604800' $primitive_root");
+				exec("xfs_quota -x -c 'timer -bir -i 604800' " . escapeshellarg($primitive_root));
 
 				unset($project_uid, $username_position, $xfs_projects);
 				unset($primitive_root, $df_output, $mb_hard, $mb_soft);