fix(ssl): prevent shell injection via site name in self-signed cert generation

[mrrobot47]

Problem (security — command injection / root RCE)

Site_Self_Signed.php builds openssl commands with sprintf and runs them via EE::exec → proc_open → /bin/sh -c. The site name (and the file paths derived from it) were interpolated into those command strings without escapeshellarg, and the site name is not charset-validated anywhere upstream (name_checks_and_updates only lowercases / appends .test; ee-core has no validation either). So a name like x$(touch /tmp/PWNED).com passed to ee site create … --ssl=self would execute an attacker subshell as the EasyEngine (root) user. Confirmed reachable end-to-end.

Fix

Wrap every user- and config-derived value interpolated into the openssl shell commands with escapeshellarg() — the site-name-derived CSR/key/cert/conf paths, the CA key/pem/serial paths, and the CA password. escapeshellarg only changes shell parsing, so openssl still receives the literal -subj/SAN/pass:/path values — no functional change, but shell metacharacters can no longer break out. The class no longer trusts its input (defense-in-depth), independent of any upstream validation.

$serial_string is already escaped where it is built, so it is interpolated as-is at the final call to avoid double-quoting -CAserial.

Out of scope

The CA password is still passed as a pass: argument and logged in cleartext (the $obfuscate argument to EE::exec is unused) — tracked separately as audit finding A-04.

Testing

Manual: ee site create 'x$(touch /tmp/INJECT).com' --ssl=self (or with backticks) must NOT create /tmp/INJECT and must treat the metacharacters as literal; a normal --ssl=self site still generates its self-signed cert correctly.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.