luci-mod-admin-full: fix possible shell injection in bandwith status

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2018-04-05 00:33:09 +0200
committer: Jo-Philipp Wich <jo@mein.io> 2018-04-05 00:33:09 +0200
commit: 9e4b8a91384562e3baee724a52b72e30b1aa006d (patch)
tree: f68c899e693de7a43fa7dd9924afa6a7ad8b5a90
parent: 9db5fa93afdbb4667e523cba0e6bde4e73a01150 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/modules/luci-mod-admin-full/luasrc/controller/admin/status.lua b/modules/luci-mod-admin-full/luasrc/controller/admin/status.lua
index 22e1b7e17..4b03a1886 100644
--- a/modules/luci-mod-admin-full/luasrc/controller/admin/status.lua
+++ b/modules/luci-mod-admin-full/luasrc/controller/admin/status.lua
@@ -62,7 +62,7 @@ end
 function action_bandwidth(iface)
 	luci.http.prepare_content("application/json")
 
-	local bwc = io.popen("luci-bwc -i %q 2>/dev/null" % iface)
+	local bwc = io.popen("luci-bwc -i '%s' 2>/dev/null" % iface:gsub("'", ""))
 	if bwc then
 		luci.http.write("[")
 
@@ -80,7 +80,7 @@ end
 function action_wireless(iface)
 	luci.http.prepare_content("application/json")
 
-	local bwc = io.popen("luci-bwc -r %q 2>/dev/null" % iface)
+	local bwc = io.popen("luci-bwc -r '%s' 2>/dev/null" % iface:gsub("'", ""))
 	if bwc then
 		luci.http.write("[")
author	Jo-Philipp Wich <jo@mein.io>	2018-04-05 00:33:09 +0200
committer	Jo-Philipp Wich <jo@mein.io>	2018-04-05 00:33:09 +0200
commit	9e4b8a91384562e3baee724a52b72e30b1aa006d (patch)
tree	f68c899e693de7a43fa7dd9924afa6a7ad8b5a90
parent	9db5fa93afdbb4667e523cba0e6bde4e73a01150 (diff)