patch command injection vulnerability

main.c

@@ -1510,7 +1510,7 @@ void get_tlm(void) {
 
       printf("\n\nTelemetry string is %s \n\n", str);	
 
-      if (transmit) {
+      if (transmit && is_safe_input(str)) {
         FILE * file2 = popen(str, "r");
         pclose(file2);
 
@@ -1530,6 +1530,17 @@ void get_tlm(void) {
   return;
 }
 
+int is_safe_input(const char *s) {
+  for (; *s; s++) {
+    if (!isdigit((unsigned char)*s)
+        && !isupper((unsigned char)*s)
+        && *s != '.' && *s != '-' && *s != '+'
+        && *s != ' ' && *s != '\n' && *s != '_')
+        return 0;
+  }
+  return 1;
+}
+
 // generates telemetry which is decoded by AMSAT's FoxTelem: https://www.amsat.org/foxtelem-software-for-windows-mac-linux/
 // for more info about how we use FoxTelem see https://www.g0kla.com/foxtelem/amsat_telemetry_designers_handbook.pdf
 

main.h

@@ -98,6 +98,7 @@ extern const unsigned char ALPHA_TO[];
 // const unsigned char *CCodecAO40::encode(unsigned char *source_bytes, int byte_count);
 void program_radio();
 void socket_send(int length);
+int is_safe_input(const char *s);
 
 int socket_open = 0;
 int sock = 0;