summaryrefslogtreecommitdiffhomepage
path: root/modules/luci-base
diff options
context:
space:
mode:
authorJo-Philipp Wich <jo@mein.io>2018-04-05 09:29:38 +0200
committerJo-Philipp Wich <jo@mein.io>2018-04-05 09:37:43 +0200
commit45cefe71f6069b088e14dd913eb382816acb945c (patch)
tree5f77a2ef3b7906d23ccff4760b2d35c80b3de531 /modules/luci-base
parent9e4b8a91384562e3baee724a52b72e30b1aa006d (diff)
luci-base: introduce luci.util.shellquote()
Introduce a new function luci.util.shellquote() which encloses the given string argument in single quotes and escapes any embedded single quote characters. This function is intended to be used when interpolating untrusted input into shell commands. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'modules/luci-base')
-rw-r--r--modules/luci-base/luasrc/util.lua6
-rw-r--r--modules/luci-base/luasrc/util.luadoc9
2 files changed, 14 insertions, 1 deletions
diff --git a/modules/luci-base/luasrc/util.lua b/modules/luci-base/luasrc/util.lua
index 28c126621..06a889cfc 100644
--- a/modules/luci-base/luasrc/util.lua
+++ b/modules/luci-base/luasrc/util.lua
@@ -164,6 +164,10 @@ function striptags(value)
return value and tparser.striptags(tostring(value))
end
+function shellquote(value)
+ return string.format("'%s'", string.gsub(value or "", "'", "'\\''"))
+end
+
-- for bash, ash and similar shells single-quoted strings are taken
-- literally except for single quotes (which terminate the string)
-- (and the exception noted below for dash (-) at the start of a
@@ -656,7 +660,7 @@ function checklib(fullpathexe, wantedlib)
if not haveldd or not haveexe then
return false
end
- local libs = exec("/usr/bin/ldd " .. fullpathexe)
+ local libs = exec(string.format("/usr/bin/ldd %s", shellquote(fullpathexe)))
if not libs then
return false
end
diff --git a/modules/luci-base/luasrc/util.luadoc b/modules/luci-base/luasrc/util.luadoc
index 949aeb21c..79a17a228 100644
--- a/modules/luci-base/luasrc/util.luadoc
+++ b/modules/luci-base/luasrc/util.luadoc
@@ -83,6 +83,15 @@ Strip HTML tags from given string.
]]
---[[
+Safely quote value for use in shell commands.
+
+@class function
+@name shellquote
+@param value String containing the value to quote
+@return Single-quote enclosed string with embedded quotes escaped
+]]
+
+---[[
Splits given string on a defined separator sequence and return a table
containing the resulting substrings. The optional max parameter specifies