From dc85e0df88e64ef0a0d841e68258a7af3505d9e0 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 20 Oct 2022 15:08:23 +0200
Subject: [PATCH] Fix #yogosha12949

---
 htdocs/core/class/utils.class.php | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/htdocs/core/class/utils.class.php b/htdocs/core/class/utils.class.php
index d67bee7abac..f5c33bac652 100644
--- a/htdocs/core/class/utils.class.php
+++ b/htdocs/core/class/utils.class.php
@@ -354,6 +354,8 @@ class Utils
 
 			$handle = '';
 
+			// If $lowmemorydump is set, it means we want to make the compression using an external pipe instead retreiving the
+			// content of the dump in PHP memory array $output_arr and then print it into the PHP pipe open with xopen().
 			$lowmemorydump = GETPOSTISSET("lowmemorydump") ? GETPOST("lowmemorydump") : getDolGlobalString('MAIN_LOW_MEMORY_DUMP');
 
 			// Start call method to execute dump
@@ -371,22 +373,22 @@ class Utils
 				}
 			} else {
 				if ($compression == 'none') {
-					$fullcommandclear .= " > ".$outputfile;
-					$fullcommandcrypted .= " > ".$outputfile;
+					$fullcommandclear .= " > ".dol_sanitizePathName($outputfile);
+					$fullcommandcrypted .= " > ".dol_sanitizePathName($outputfile);
 					$handle = 1;
 				} elseif ($compression == 'gz') {
-					$fullcommandclear .= " | gzip > ".$outputfile;
-					$fullcommandcrypted .= " | gzip > ".$outputfile;
+					$fullcommandclear .= " | gzip > ".dol_sanitizePathName($outputfile);
+					$fullcommandcrypted .= " | gzip > ".dol_sanitizePathName($outputfile);
 					$paramcrypted.=" | gzip";
 					$handle = 1;
 				} elseif ($compression == 'bz') {
-					$fullcommandclear .= " | bzip2 > ".$outputfile;
-					$fullcommandcrypted .= " | bzip2 > ".$outputfile;
+					$fullcommandclear .= " | bzip2 > ".dol_sanitizePathName($outputfile);
+					$fullcommandcrypted .= " | bzip2 > ".dol_sanitizePathName($outputfile);
 					$paramcrypted.=" | bzip2";
 					$handle = 1;
 				} elseif ($compression == 'zstd') {
-					$fullcommandclear .= " | zstd > ".$outputfile;
-					$fullcommandcrypted .= " | zstd > ".$outputfile;
+					$fullcommandclear .= " | zstd > ".dol_sanitizePathName($outputfile);
+					$fullcommandcrypted .= " | zstd > ".dol_sanitizePathName($outputfile);
 					$paramcrypted.=" | zstd";
 					$handle = 1;
 				}
@@ -411,8 +413,8 @@ class Utils
 				}
 
 
-				// TODO Replace with executeCLI function but
-				// we must first introduce a low memory mode
+				// TODO Replace with Utils->executeCLI() function but
+				// we must first introduce the variant with $lowmemorydump into this method.
 				if ($execmethod == 1) {
 					$output_arr = array();
 					$retval = null;