From d3cfa9c2bcad628b00b828534c782f4668acfd4e Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Wed, 12 Jul 2023 10:47:57 -0600
Subject: [PATCH] Update mkdir.lua

---
 .../resources/scripts/resources/functions/mkdir.lua      | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/switch/resources/scripts/resources/functions/mkdir.lua b/app/switch/resources/scripts/resources/functions/mkdir.lua
index 36b880335b..a0a55f38b1 100644
--- a/app/switch/resources/scripts/resources/functions/mkdir.lua
+++ b/app/switch/resources/scripts/resources/functions/mkdir.lua
@@ -2,6 +2,11 @@
 	function mkdir(dir)
 		api = freeswitch.API();
 		dir = dir:gsub([[\]], "/");
+
+		--retrieve allowed characters and then use it to sanitize the dir variable
+		local allowed_chars = os.getenv("ALLOWED_CHARS") or "^%a%d%-%._~"
+		dir = dir:gsub("[^" .. allowed_chars .. "]", "")
+
 		if (package.config:sub(1,1) == "/") then
 			--unix
 			cmd = [[mkdir -p "]] .. dir .. [["]];
@@ -9,7 +14,7 @@
 			--windows
 			cmd = [[mkdir "]] .. dir .. [["]];
 		end
-		-- os.execute(cmd);
-		api:executeString("system " .. cmd  );
+		os.execute(cmd);
+		--api:executeString("system " .. cmd  );
 		return cmd;
 	end