diff options
| author | Jo-Philipp Wich <jo@mein.io> | 2018-04-05 09:32:22 +0200 |
|---|---|---|
| committer | Jo-Philipp Wich <jo@mein.io> | 2018-04-05 09:37:43 +0200 |
| commit | c0d9c4f3ce7bda19081d0da01a599bec067338a3 (patch) | |
| tree | a46fcf6c6a594ad1a2ab3fe09f2e4860355a27fb /modules/luci-base/luasrc/sys.lua | |
| parent | 45cefe71f6069b088e14dd913eb382816acb945c (diff) | |
treewide: filter shell arguments through shellquote() where applicable
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'modules/luci-base/luasrc/sys.lua')
| -rw-r--r-- | modules/luci-base/luasrc/sys.lua | 23 |
1 files changed, 8 insertions, 15 deletions
diff --git a/modules/luci-base/luasrc/sys.lua b/modules/luci-base/luasrc/sys.lua index 12b20e4c3..823e20770 100644 --- a/modules/luci-base/luasrc/sys.lua +++ b/modules/luci-base/luasrc/sys.lua @@ -87,10 +87,10 @@ end function httpget(url, stream, target) if not target then local source = stream and io.popen or luci.util.exec - return source("wget -qO- '"..url:gsub("'", "").."'") + return source("wget -qO- %s" % luci.util.shellquote(url)) else - return os.execute("wget -qO '%s' '%s'" % - {target:gsub("'", ""), url:gsub("'", "")}) + return os.execute("wget -qO %s %s" % + {luci.util.shellquote(target), luci.util.shellquote(url)}) end end @@ -443,18 +443,11 @@ function user.checkpasswd(username, pass) end function user.setpasswd(username, password) - if password then - password = password:gsub("'", [['"'"']]) - end - - if username then - username = username:gsub("'", [['"'"']]) - end - - return os.execute( - "(echo '" .. password .. "'; sleep 1; echo '" .. password .. "') | " .. - "passwd '" .. username .. "' >/dev/null 2>&1" - ) + return os.execute("(echo %s; sleep 1; echo %s) | passwd %s >/dev/null 2>&1" %{ + luci.util.shellquote(password), + luci.util.shellquote(password), + luci.util.shellquote(username) + }) end |