summaryrefslogtreecommitdiffhomepage
path: root/modules/luci-base/luasrc/model
diff options
context:
space:
mode:
authorJo-Philipp Wich <jo@mein.io>2018-04-05 09:32:22 +0200
committerJo-Philipp Wich <jo@mein.io>2018-04-05 09:37:43 +0200
commitc0d9c4f3ce7bda19081d0da01a599bec067338a3 (patch)
treea46fcf6c6a594ad1a2ab3fe09f2e4860355a27fb /modules/luci-base/luasrc/model
parent45cefe71f6069b088e14dd913eb382816acb945c (diff)
treewide: filter shell arguments through shellquote() where applicable
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'modules/luci-base/luasrc/model')
-rw-r--r--modules/luci-base/luasrc/model/ipkg.lua23
-rw-r--r--modules/luci-base/luasrc/model/uci.lua2
2 files changed, 15 insertions, 10 deletions
diff --git a/modules/luci-base/luasrc/model/ipkg.lua b/modules/luci-base/luasrc/model/ipkg.lua
index e653b03465..e27ea52895 100644
--- a/modules/luci-base/luasrc/model/ipkg.lua
+++ b/modules/luci-base/luasrc/model/ipkg.lua
@@ -20,12 +20,14 @@ module "luci.model.ipkg"
-- Internal action function
local function _action(cmd, ...)
- local pkg = ""
+ local cmdline = { ipkg, cmd }
+
+ local k, v
for k, v in pairs({...}) do
- pkg = pkg .. " '" .. v:gsub("'", "") .. "'"
+ cmdline[#cmdline+1] = util.shellquote(v)
end
- local c = "%s %s %s >/tmp/opkg.stdout 2>/tmp/opkg.stderr" %{ ipkg, cmd, pkg }
+ local c = "%s >/tmp/opkg.stdout 2>/tmp/opkg.stderr" % table.concat(cmdline, " ")
local r = os.execute(c)
local e = fs.readfile("/tmp/opkg.stderr")
local o = fs.readfile("/tmp/opkg.stdout")
@@ -74,17 +76,17 @@ local function _parselist(rawdata)
end
-- Internal lookup function
-local function _lookup(act, pkg)
- local cmd = ipkg .. " " .. act
+local function _lookup(cmd, pkg)
+ local cmdline = { ipkg, cmd }
if pkg then
- cmd = cmd .. " '" .. pkg:gsub("'", "") .. "'"
+ cmdline[#cmdline+1] = util.shellquote(pkg)
end
-- OPKG sometimes kills the whole machine because it sucks
-- Therefore we have to use a sucky approach too and use
-- tmpfiles instead of directly reading the output
local tmpfile = os.tmpname()
- os.execute(cmd .. (" >%s 2>/dev/null" % tmpfile))
+ os.execute("%s >%s 2>/dev/null" %{ table.concat(cmdline, " "), tmpfile })
local data = _parselist(io.lines(tmpfile))
os.remove(tmpfile)
@@ -123,9 +125,12 @@ end
-- List helper
local function _list(action, pat, cb)
- local fd = io.popen(ipkg .. " " .. action ..
- (pat and (" '%s'" % pat:gsub("'", "")) or ""))
+ local cmdline = { ipkg, action }
+ if pat then
+ cmdline[#cmdline+1] = util.shellquote(pat)
+ end
+ local fd = io.popen(table.concat(cmdline, " "))
if fd then
local name, version, sz, desc
while true do
diff --git a/modules/luci-base/luasrc/model/uci.lua b/modules/luci-base/luasrc/model/uci.lua
index 3208f3b372..bbd9b4cfbf 100644
--- a/modules/luci-base/luasrc/model/uci.lua
+++ b/modules/luci-base/luasrc/model/uci.lua
@@ -407,7 +407,7 @@ function apply(self, configlist, command)
return { "/sbin/luci-reload", unpack(configlist) }
else
return os.execute("/sbin/luci-reload %s >/dev/null 2>&1"
- % table.concat(configlist, " "))
+ % util.shellquote(table.concat(configlist, " ")))
end
end