luci-base: fix possible shell injection in luci.tools.status.switch_status()

author Jo-Philipp Wich <jo@mein.io>

Wed, 4 Apr 2018 22:32:28 +0000 (00:32 +0200)

committer Jo-Philipp Wich <jo@mein.io>

Wed, 4 Apr 2018 22:32:56 +0000 (00:32 +0200)
author Jo-Philipp Wich <jo@mein.io>
Wed, 4 Apr 2018 22:32:28 +0000 (00:32 +0200)
committer Jo-Philipp Wich <jo@mein.io>
Wed, 4 Apr 2018 22:32:56 +0000 (00:32 +0200)
diff --git a/modules/luci-base/luasrc/tools/status.lua b/modules/luci-base/luasrc/tools/status.lua

index 5012111..1c40387 100644 (file)
--- a/modules/luci-base/luasrc/tools/status.lua
+++ b/modules/luci-base/luasrc/tools/status.lua
@@ -187,7 +187,7 @@ function switch_status(devs)
         local switches = { }
         for dev in devs:gmatch("[^%s,]+") do
                 local ports = { }
         local switches = { }
         for dev in devs:gmatch("[^%s,]+") do
                 local ports = { }
-               local swc = io.popen("swconfig dev %q show" % dev, "r")
+               local swc = io.popen("swconfig dev '%s' show" % dev:gsub("'", ""), "r")
                 if swc then
                         local l
                         repeat
                 if swc then
                         local l
                         repeat
author	Jo-Philipp Wich <jo@mein.io>
	Wed, 4 Apr 2018 22:32:28 +0000 (00:32 +0200)
committer	Jo-Philipp Wich <jo@mein.io>
	Wed, 4 Apr 2018 22:32:56 +0000 (00:32 +0200)