Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Summary

Classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsync() command line by string concatenation, single-quoting each argument but never calling escapeshellarg(). A ' in any of the three interpolated values ($users_id, $m3u8, $obj->liveTransmitionHistory_id) closes the quoted token and lets the attacker append arbitrary commands. File: plugin/Live/on_publish.php, line 267. Root cause: the developer wrapped each variable in literal single quotes ('$users_id', '$m3u8', '$obj->liveTransmitionHistory_id') believing this provides shell-quoting. PHP single-quoted-into-shell is not safe quoting; it is just two literal quote characters that the shell pairs greedily. Any embedded ' closes the outer string and resumes interpretation in the shell. The rest of the AVideo codebase already calls escapeshellarg() (137 call sites across the project) for ffmpeg invocations, so the safe primitive is well-known to the project; it was simply omitted from this branch. The endpoint is web-reachable (no .htaccess rule restricts on_publish.php, no REMOTE_ADDR check), so the trigger is a direct HTTP POST without going through nginx-rtmp.