Password: Fix security issue in virtualmin and sasl drivers

CHANGELOG

@@ -36,6 +36,7 @@ RELEASE 1.3-rc
 - Fix undesired effects when postgres database uses different timezone than PHP host (#5708)
 - Installer: Fix DB schema initialization on MS SQL Server
 - Fix bug where base_dn setting was ignored inside group_filters (#5720)
+- Password: Fix security issue in virtualmin and sasl drivers
 
 RELEASE 1.3-beta
 ----------------

plugins/password/drivers/sasl.php

@@ -36,7 +36,7 @@ class rcube_sasl_password
     function save($currpass, $newpass)
     {
         $curdir   = RCUBE_PLUGINS_DIR . 'password/helpers';
-        $username = escapeshellcmd($_SESSION['username']);
+        $username = escapeshellarg($_SESSION['username']);
         $args     = rcmail::get_instance()->config->get('password_saslpasswd_args', '');
 
         if ($fh = popen("$curdir/chgsaslpasswd -p $args $username", 'w')) {

plugins/password/drivers/virtualmin.php

@@ -70,9 +70,9 @@ class rcube_virtualmin_password
             $domain = $rcmail->user->get_username('domain');
         }
 
-        $username = escapeshellcmd($username);
+        $username = escapeshellarg($username);
-        $domain   = escapeshellcmd($domain);
+        $domain   = escapeshellarg($domain);
-        $newpass  = escapeshellcmd($newpass);
+        $newpass  = escapeshellarg($newpass);
         $curdir   = RCUBE_PLUGINS_DIR . 'password/helpers';
 
         exec("$curdir/chgvirtualminpasswd modify-user --domain $domain --user $username --pass $newpass", $output, $returnvalue);