diff options
| author | Jo-Philipp Wich <jo@mein.io> | 2019-12-18 21:22:06 +0100 |
|---|---|---|
| committer | Jo-Philipp Wich <jo@mein.io> | 2019-12-18 21:22:06 +0100 |
| commit | e884b63916ebf6d1a7e4f7c92240a76964ecaa85 (patch) | |
| tree | 361e818c5b81ef53161da1b167b2077bda3c8a95 /modules | |
| parent | f3724e46a5fc33b3a6fc9f935b88e395c746149f (diff) | |
luci-base: fs.js: properly escape arguments in exec_direct()
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/luci-base/htdocs/luci-static/resources/fs.js | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/modules/luci-base/htdocs/luci-static/resources/fs.js b/modules/luci-base/htdocs/luci-static/resources/fs.js index 612d4eb0f..e1bf4f874 100644 --- a/modules/luci-base/htdocs/luci-static/resources/fs.js +++ b/modules/luci-base/htdocs/luci-static/resources/fs.js @@ -374,11 +374,13 @@ var FileSystem = L.Class.extend(/** @lends LuCI.fs.prototype */ { * rejecting with an error stating the failure reason. */ exec_direct: function(command, params) { - var cmdstr = command; + var cmdstr = String(command) + .replace(/\\/g, '\\\\').replace(/(\s)/g, '\\$1'); if (Array.isArray(params)) for (var i = 0; i < params.length; i++) - cmdstr += ' ' + params[i]; + cmdstr += ' ' + String(params[i]) + .replace(/\\/g, '\\\\').replace(/(\s)/g, '\\$1'); var postdata = 'sessionid=%s&command=%s' .format(encodeURIComponent(L.env.sessionid), encodeURIComponent(cmdstr)); |