From 2c930ae2cddb959c4d98c48b7fc9e1b28f0ac7b7 Mon Sep 17 00:00:00 2001
From: Klimov Paul <klimov.paul@gmail.com>
Date: Thu, 16 May 2013 20:51:02 +0300
Subject: [PATCH] Usage of "escapeshellarg" has been added to
 "yii\console\controllers\AssetController::actionCompress()".

---
 yii/console/controllers/AssetController.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/yii/console/controllers/AssetController.php b/yii/console/controllers/AssetController.php
index a707cb7..b2a5d12 100644
--- a/yii/console/controllers/AssetController.php
+++ b/yii/console/controllers/AssetController.php
@@ -365,8 +365,8 @@ EOD
 			$tmpFile = $outputFile . '.tmp';
 			$this->combineJsFiles($inputFiles, $tmpFile);
 			$log = shell_exec(strtr($this->jsCompressor, array(
-				'{from}' => $tmpFile,
-				'{to}' => $outputFile,
+				'{from}' => escapeshellarg($tmpFile),
+				'{to}' => escapeshellarg($outputFile),
 			)));
 			@unlink($tmpFile);
 		} else {
@@ -385,8 +385,8 @@ EOD
 			$tmpFile = $outputFile . '.tmp';
 			$this->combineCssFiles($inputFiles, $tmpFile);
 			$log = shell_exec(strtr($this->cssCompressor, array(
-				'{from}' => $tmpFile,
-				'{to}' => $outputFile,
+				'{from}' => escapeshellarg($tmpFile),
+				'{to}' => escapeshellarg($outputFile),
 			)));
 			@unlink($tmpFile);
 		} else {