From 46bf3274d811fd5ad02b7e0fbec587b73d4bc045 Mon Sep 17 00:00:00 2001
From: Yassine DAMIRI <ydamiri@freylab.local>
Date: Mon, 20 Apr 2026 01:00:43 +0200
Subject: [PATCH] fix: Changed order of escape to prevent RCE

---
 backend/setup.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/setup.js b/backend/setup.js
index 84f42793ea..20d628ca97 100644
--- a/backend/setup.js
+++ b/backend/setup.js
@@ -123,8 +123,8 @@ const setupCertbotPlugins = async () => {
 				// Escape single quotes and backslashes
 				if (typeof certificate.meta.dns_provider_credentials === "string") {
 					const escapedCredentials = certificate.meta.dns_provider_credentials
-						.replaceAll("'", "\\'")
-						.replaceAll("\\", "\\\\");
+						.replaceAll("\\", "\\\\")
+						.replaceAll("'", "\\'");
 					const credentials_cmd = `[ -f '${credentials_loc}' ] || { mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo '${escapedCredentials}' > '${credentials_loc}' && chmod 600 '${credentials_loc}'; }`;
 					promises.push(utils.exec(credentials_cmd));
 				}