treewide: filter shell arguments through shellquote() where applicable

[project/luci.git] / applications / luci-app-upnp / luasrc / controller / upnp.lua

diff --git a/applications/luci-app-upnp/luasrc/controller/upnp.lua b/applications/luci-app-upnp/luasrc/controller/upnp.lua
index e485708..95a0ef4 100644 (file)
--- a/applications/luci-app-upnp/luasrc/controller/upnp.lua
+++ b/applications/luci-app-upnp/luasrc/controller/upnp.lua
@@ -21,7 +21,7 @@ end
 function act_status()
        local uci = luci.model.uci.cursor()
        local lease_file = uci:get("upnpd", "config", "upnp_lease_file")
-       
+
        local ipt = io.popen("iptables --line-numbers -t nat -xnvL MINIUPNPD 2>/dev/null")
        if ipt then
                local upnpf = lease_file and io.open(lease_file, "r")
@@ -39,7 +39,7 @@ function act_status()
                                        num     = tonumber(num)
                                        extport = tonumber(extport)
                                        intport = tonumber(intport)
-                                       
+
                                        if upnpf then
                                                local uln = upnpf:read("*l")
                                                if uln then descr = uln:match(string.format("^%s:%d:%s:%d:%%d*:(.*)$", proto:upper(), extport, intaddr, intport)) end
@@ -76,7 +76,7 @@ function act_delete(num)
 
                local lease_file = uci:get("upnpd", "config", "upnp_lease_file")
                if lease_file and nixio.fs.access(lease_file) then
-                       luci.sys.call("sed -i -e '%dd' %q" %{ idx, lease_file })
+                       luci.sys.call("sed -i -e '%dd' %s" %{ idx, luci.util.shellquote(lease_file) })
                end
 
                luci.http.status(200, "OK")