From 829467b62748e8c4fb587636801fa03165f72e8a Mon Sep 17 00:00:00 2001 From: Daniel Dickinson Date: Tue, 1 Dec 2015 23:47:42 -0500 Subject: [PATCH] luci-base: Add function for shell single-quote parameter escaping When using os.execute or luci.sys.call the shell is called with the command line which means that standard shell interpretation of strings occurs. To allow to use these commands more easily we add functions for properly escaping single-quoted strings used on the command line --- modules/luci-base/luasrc/util.lua | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/modules/luci-base/luasrc/util.lua b/modules/luci-base/luasrc/util.lua index 787bc66f9..5bf0beb6c 100644 --- a/modules/luci-base/luasrc/util.lua +++ b/modules/luci-base/luasrc/util.lua @@ -151,6 +151,28 @@ function striptags(value) return value and tparser.striptags(tostring(value)) end +-- for bash, ash and similar shells single-quoted strings are taken +-- literally except for single quotes (which terminate the string) +-- (and the exception noted below for dash (-) at the start of a +-- command line parameter). +function shellsqescape(value) + local res + res, _ = string.gsub(res, "'", "'\\''") + return res +end + +-- bash, ash and other similar shells interpret a dash (-) at the start +-- of a command-line parameters as an option indicator regardless of +-- whether it is inside a single-quoted string. It must be backlash +-- escaped to resolve this. This requires in some funky special-case +-- handling. It may actually be a property of the getopt function +-- rather than the shell proper. +function shellstartsqescape(value) + res, _ = string.gsub(value, "^\-", "\\-") + res, _ = string.gsub(res, "^-", "\-") + return shellsqescape(value) +end + -- containing the resulting substrings. The optional max parameter specifies -- the number of bytes to process, regardless of the actual length of the given -- string. The optional last parameter, regex, specifies whether the separator -- 2.11.0