From c0d9c4f3ce7bda19081d0da01a599bec067338a3 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Thu, 5 Apr 2018 09:32:22 +0200
Subject: treewide: filter shell arguments through shellquote() where
 applicable

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 applications/luci-app-vnstat/luasrc/view/vnstat.htm | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'applications/luci-app-vnstat/luasrc/view')

diff --git a/applications/luci-app-vnstat/luasrc/view/vnstat.htm b/applications/luci-app-vnstat/luasrc/view/vnstat.htm
index 2b8d9ff9c..42d7d2404 100644
--- a/applications/luci-app-vnstat/luasrc/view/vnstat.htm
+++ b/applications/luci-app-vnstat/luasrc/view/vnstat.htm
@@ -21,12 +21,13 @@ style = (style and #style > 0) and style or "s"
 -- render image
 --
 if iface then
-	style = style:gsub("[^%w]", "")
-	iface = iface:gsub("[^%w%.%-%_]", "")
-
 	luci.http.prepare_content("image/png")
 
-	local png = io.popen("vnstati -i '%s' '-%s' -o -" % { iface, style })
+	local png = io.popen("vnstati -i %s -%s -o -" %{
+		utl.shellquote(iface),
+		utl.shellquote(style)
+	})
+
 	luci.http.write(png:read("*a"))
 	png:close()
 
@@ -89,7 +90,7 @@ dbdir = dbdir or "/var/lib/vnstat"
 <%
        end
      end
-   end 
+   end
 %>
 
 <% if empty then %>
-- 
cgit v1.2.3