From e64ace7ccf4ca63a0acb00f906eef4e43c978033 Mon Sep 17 00:00:00 2001
From: Markus Frosch <markus.frosch@icinga.com>
Date: Tue, 26 Mar 2019 11:38:04 +0100
Subject: [PATCH] IcingaCommandForm: Add warning for command as plain string

---
 application/forms/IcingaCommandForm.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/application/forms/IcingaCommandForm.php b/application/forms/IcingaCommandForm.php
index bba4278a..0524f574 100644
--- a/application/forms/IcingaCommandForm.php
+++ b/application/forms/IcingaCommandForm.php
@@ -76,8 +76,9 @@ class IcingaCommandForm extends DirectorObjectForm
 
         $descIsString = [
             $this->translate('Render the command as a plain string instead of an array.'),
-            $this->translate('This can not be used together with arguments.'),
-            $this->translate('It is disabled by default and should only be used in rare cases.'),
+            $this->translate('If enabled you can not define arguments.'),
+            $this->translate('Disabled by default, and should only be used in rare cases.'),
+            $this->translate('WARNING, this can allow shell script injection via custom variables used in command.'),
         ];
 
         $this->addBoolean(