Add 'command' type to R\F\Security::sanitize()

common/framework/Security.php

@@ -44,6 +44,12 @@ class Security
 				$sanitizer = new \enshrined\svgSanitize\Sanitizer();
 				return strval($sanitizer->sanitize($input));
 
+			// Clean up a path to prevent argument injection.
+			case 'command':
+				if (!utf8_check($input)) return false;
+				if (\RX_WINDOWS || preg_match('![^a-z0-9/._-]!', $input)) return escapeshellarg($input);
+				return strval($input);
+
 			// Unknown filters.
 			default:
 				throw new Exception('Unknown filter type for sanitize: ' . $type);

tests/unit/framework/SecurityTest.php

@@ -25,6 +25,17 @@ class SecurityTest extends \Codeception\Test\Unit
 		$source = '<svg><rect></rect><script></script></svg>';
 		$target = '<?xml version="1.0" encoding="UTF-8"?>' . "\n<svg>\n  <rect></rect>\n</svg>\n";
 		$this->assertEquals($target, Rhymix\Framework\Security::sanitize($source, 'svg'));
+
+		// Command
+		if (!\RX_WINDOWS)
+		{
+			$source = '/usr/bin/ffmpeg';
+			$target = '/usr/bin/ffmpeg';
+			$this->assertEquals($target, Rhymix\Framework\Security::sanitize($source, 'command'));
+			$source = '/usr/bin/path with space/ffmpeg';
+			$target = '\'/usr/bin/path with space/ffmpeg\'';
+			$this->assertEquals($target, Rhymix\Framework\Security::sanitize($source, 'command'));
+		}
 	}
 
 	public function testEncryption()