From c0d9c4f3ce7bda19081d0da01a599bec067338a3 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Thu, 5 Apr 2018 09:32:22 +0200
Subject: treewide: filter shell arguments through shellquote() where
 applicable

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 .../luasrc/controller/freifunk/diag.lua                      | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'applications/luci-app-freifunk-diagnostics/luasrc/controller')

diff --git a/applications/luci-app-freifunk-diagnostics/luasrc/controller/freifunk/diag.lua b/applications/luci-app-freifunk-diagnostics/luasrc/controller/freifunk/diag.lua
index 7bb47612b6..92b3afc80d 100644
--- a/applications/luci-app-freifunk-diagnostics/luasrc/controller/freifunk/diag.lua
+++ b/applications/luci-app-freifunk-diagnostics/luasrc/controller/freifunk/diag.lua
@@ -33,7 +33,7 @@ function diag_command(cmd, addr)
 	if addr and addr:match("^[a-zA-Z0-9%-%.:_]+$") then
 		luci.http.prepare_content("text/plain")
 
-		local util = io.popen(cmd % addr)
+		local util = io.popen(cmd % luci.util.shellquote(addr))
 		if util then
 			while true do
 				local ln = util:read("*l")
@@ -52,21 +52,21 @@ function diag_command(cmd, addr)
 end
 
 function diag_ping(addr)
-	diag_command("ping -c 5 -W 1 %q 2>&1", addr)
+	diag_command("ping -c 5 -W 1 %s 2>&1", addr)
 end
 
 function diag_traceroute(addr)
-	diag_command("traceroute -q 1 -w 1 -n %q 2>&1", addr)
+	diag_command("traceroute -q 1 -w 1 -n %s 2>&1", addr)
 end
 
 function diag_nslookup(addr)
-	diag_command("nslookup %q 2>&1", addr)
+	diag_command("nslookup %s 2>&1", addr)
 end
 
 function diag_ping6(addr)
-	diag_command("ping6 -c 5 %q 2>&1", addr)
+	diag_command("ping6 -c 5 %s 2>&1", addr)
 end
 
 function diag_traceroute6(addr)
-	diag_command("traceroute6 -q 1 -w 2 -n %q 2>&1", addr)
+	diag_command("traceroute6 -q 1 -w 2 -n %s 2>&1", addr)
 end
-- 
cgit v1.2.3