luci-mod-admin-full: fix possible shell injection in bandwith status

[project/luci.git] / modules / luci-mod-admin-full / luasrc / controller / admin / status.lua

diff --git a/modules/luci-mod-admin-full/luasrc/controller/admin/status.lua b/modules/luci-mod-admin-full/luasrc/controller/admin/status.lua
index 22e1b7e..4b03a18 100644 (file)
--- a/modules/luci-mod-admin-full/luasrc/controller/admin/status.lua
+++ b/modules/luci-mod-admin-full/luasrc/controller/admin/status.lua
@@ -62,7 +62,7 @@ end
 function action_bandwidth(iface)
        luci.http.prepare_content("application/json")
 
-       local bwc = io.popen("luci-bwc -i %q 2>/dev/null" % iface)
+       local bwc = io.popen("luci-bwc -i '%s' 2>/dev/null" % iface:gsub("'", ""))
        if bwc then
                luci.http.write("[")
 
@@ -80,7 +80,7 @@ end
 function action_wireless(iface)
        luci.http.prepare_content("application/json")
 
-       local bwc = io.popen("luci-bwc -r %q 2>/dev/null" % iface)
+       local bwc = io.popen("luci-bwc -r '%s' 2>/dev/null" % iface:gsub("'", ""))
        if bwc then
                luci.http.write("[")