summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorJo-Philipp Wich <jo@mein.io>2019-12-18 21:22:06 +0100
committerJo-Philipp Wich <jo@mein.io>2019-12-18 21:22:06 +0100
commite884b63916ebf6d1a7e4f7c92240a76964ecaa85 (patch)
tree361e818c5b81ef53161da1b167b2077bda3c8a95
parentf3724e46a5fc33b3a6fc9f935b88e395c746149f (diff)
luci-base: fs.js: properly escape arguments in exec_direct()
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-rw-r--r--modules/luci-base/htdocs/luci-static/resources/fs.js6
1 files changed, 4 insertions, 2 deletions
diff --git a/modules/luci-base/htdocs/luci-static/resources/fs.js b/modules/luci-base/htdocs/luci-static/resources/fs.js
index 612d4eb0f..e1bf4f874 100644
--- a/modules/luci-base/htdocs/luci-static/resources/fs.js
+++ b/modules/luci-base/htdocs/luci-static/resources/fs.js
@@ -374,11 +374,13 @@ var FileSystem = L.Class.extend(/** @lends LuCI.fs.prototype */ {
* rejecting with an error stating the failure reason.
*/
exec_direct: function(command, params) {
- var cmdstr = command;
+ var cmdstr = String(command)
+ .replace(/\\/g, '\\\\').replace(/(\s)/g, '\\$1');
if (Array.isArray(params))
for (var i = 0; i < params.length; i++)
- cmdstr += ' ' + params[i];
+ cmdstr += ' ' + String(params[i])
+ .replace(/\\/g, '\\\\').replace(/(\s)/g, '\\$1');
var postdata = 'sessionid=%s&command=%s'
.format(encodeURIComponent(L.env.sessionid), encodeURIComponent(cmdstr));