From c0d9c4f3ce7bda19081d0da01a599bec067338a3 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Thu, 5 Apr 2018 09:32:22 +0200
Subject: treewide: filter shell arguments through shellquote() where
 applicable

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 .../luci-app-splash/luasrc/controller/splash/splash.lua    | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'applications/luci-app-splash/luasrc/controller/splash')

diff --git a/applications/luci-app-splash/luasrc/controller/splash/splash.lua b/applications/luci-app-splash/luasrc/controller/splash/splash.lua
index b4fdbd53a6..af7a3a3c01 100644
--- a/applications/luci-app-splash/luasrc/controller/splash/splash.lua
+++ b/applications/luci-app-splash/luasrc/controller/splash/splash.lua
@@ -9,7 +9,7 @@ function index()
 	entry({"admin", "services", "splash", "splashtext" }, form("splash/splashtext"), _("Splashtext"), 10)
 
 	local e
-	
+
 	e = node("splash")
 	e.target = call("action_dispatch")
 
@@ -82,7 +82,7 @@ function action_activate()
 			end
 	        end)
 
-		if blacklisted then	
+		if blacklisted then
 			luci.http.redirect(luci.dispatcher.build_url("splash" ,"blocked"))
 		else
 			local id = tostring(mac):gsub(':', ''):lower()
@@ -106,7 +106,7 @@ function action_status_admin()
 	local uci = luci.model.uci.cursor_state()
 	local macs = luci.http.formvaluetable("save")
 
-	local changes = { 
+	local changes = {
 		whitelist = { },
 		blacklist = { },
 		lease     = { },
@@ -129,22 +129,22 @@ function action_status_admin()
 
 	if #changes.whitelist > 0 then
 		os.execute("luci-splash whitelist %s >/dev/null"
-			% table.concat(changes.whitelist))
+			% util.shellquote(table.concat(changes.whitelist)))
 	end
 
 	if #changes.blacklist > 0 then
 		os.execute("luci-splash blacklist %s >/dev/null"
-			% table.concat(changes.blacklist))
+			% util.shellquote(table.concat(changes.blacklist)))
 	end
 
 	if #changes.lease > 0 then
 		os.execute("luci-splash lease %s >/dev/null"
-			% table.concat(changes.lease))
+			% util.shellquote(table.concat(changes.lease)))
 	end
 
 	if #changes.remove > 0 then
 		os.execute("luci-splash remove %s >/dev/null"
-			% table.concat(changes.remove))
+			% util.shellquote(table.concat(changes.remove)))
 	end
 
 	luci.template.render("admin_status/splash", { is_admin = true })
-- 
cgit v1.2.3