luci-base: fix possible shell injection in luci.tools.status.switch_status()

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2018-04-05 00:32:28 +0200
committer: Jo-Philipp Wich <jo@mein.io> 2018-04-05 00:32:56 +0200
commit: 9db5fa93afdbb4667e523cba0e6bde4e73a01150 (patch)
tree: 2fc93dd2f8c587e536fe5e86410f9059b792a86b
parent: 186e690c08a8766aecf9a0ffc60b4475e366d723 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/luci-base/luasrc/tools/status.lua b/modules/luci-base/luasrc/tools/status.lua
index 501211181..1c4038735 100644
--- a/modules/luci-base/luasrc/tools/status.lua
+++ b/modules/luci-base/luasrc/tools/status.lua
@@ -187,7 +187,7 @@ function switch_status(devs)
 	local switches = { }
 	for dev in devs:gmatch("[^%s,]+") do
 		local ports = { }
-		local swc = io.popen("swconfig dev %q show" % dev, "r")
+		local swc = io.popen("swconfig dev '%s' show" % dev:gsub("'", ""), "r")
 		if swc then
 			local l
 			repeat
author	Jo-Philipp Wich <jo@mein.io>	2018-04-05 00:32:28 +0200
committer	Jo-Philipp Wich <jo@mein.io>	2018-04-05 00:32:56 +0200
commit	9db5fa93afdbb4667e523cba0e6bde4e73a01150 (patch)
tree	2fc93dd2f8c587e536fe5e86410f9059b792a86b
parent	186e690c08a8766aecf9a0ffc60b4475e366d723 (diff)