luci-base: introduce luci.util.shellquote()

Introduce a new function luci.util.shellquote() which encloses the given string argument in single quotes and escapes any embedded single quote characters. This function is intended to be used when interpolating untrusted input into shell commands. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2018-04-05 09:29:38 +0200
committer: Jo-Philipp Wich <jo@mein.io> 2018-04-05 09:37:43 +0200
commit: 45cefe71f6069b088e14dd913eb382816acb945c (patch)
tree: 5f77a2ef3b7906d23ccff4760b2d35c80b3de531 /modules/luci-base/luasrc/util.lua
parent: 9e4b8a91384562e3baee724a52b72e30b1aa006d (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/modules/luci-base/luasrc/util.lua b/modules/luci-base/luasrc/util.lua
index 28c126621d..06a889cfc8 100644
--- a/modules/luci-base/luasrc/util.lua
+++ b/modules/luci-base/luasrc/util.lua
@@ -164,6 +164,10 @@ function striptags(value)
 	return value and tparser.striptags(tostring(value))
 end
 
+function shellquote(value)
+	return string.format("'%s'", string.gsub(value or "", "'", "'\\''"))
+end
+
 -- for bash, ash and similar shells single-quoted strings are taken
 -- literally except for single quotes (which terminate the string)
 -- (and the exception noted below for dash (-) at the start of a
@@ -656,7 +660,7 @@ function checklib(fullpathexe, wantedlib)
 	if not haveldd or not haveexe then
 		return false
 	end
-	local libs = exec("/usr/bin/ldd " .. fullpathexe)
+	local libs = exec(string.format("/usr/bin/ldd %s", shellquote(fullpathexe)))
 	if not libs then
 		return false
 	end
author	Jo-Philipp Wich <jo@mein.io>	2018-04-05 09:29:38 +0200
committer	Jo-Philipp Wich <jo@mein.io>	2018-04-05 09:37:43 +0200
commit	45cefe71f6069b088e14dd913eb382816acb945c (patch)
tree	5f77a2ef3b7906d23ccff4760b2d35c80b3de531 /modules/luci-base/luasrc/util.lua
parent	9e4b8a91384562e3baee724a52b72e30b1aa006d (diff)