From c0d9c4f3ce7bda19081d0da01a599bec067338a3 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Thu, 5 Apr 2018 09:32:22 +0200
Subject: treewide: filter shell arguments through shellquote() where
 applicable

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 modules/luci-base/luasrc/model/ipkg.lua | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

(limited to 'modules/luci-base/luasrc/model/ipkg.lua')

diff --git a/modules/luci-base/luasrc/model/ipkg.lua b/modules/luci-base/luasrc/model/ipkg.lua
index e653b03465..e27ea52895 100644
--- a/modules/luci-base/luasrc/model/ipkg.lua
+++ b/modules/luci-base/luasrc/model/ipkg.lua
@@ -20,12 +20,14 @@ module "luci.model.ipkg"
 
 -- Internal action function
 local function _action(cmd, ...)
-	local pkg = ""
+	local cmdline = { ipkg, cmd }
+
+	local k, v
 	for k, v in pairs({...}) do
-		pkg = pkg .. " '" .. v:gsub("'", "") .. "'"
+		cmdline[#cmdline+1] = util.shellquote(v)
 	end
 
-	local c = "%s %s %s >/tmp/opkg.stdout 2>/tmp/opkg.stderr" %{ ipkg, cmd, pkg }
+	local c = "%s >/tmp/opkg.stdout 2>/tmp/opkg.stderr" % table.concat(cmdline, " ")
 	local r = os.execute(c)
 	local e = fs.readfile("/tmp/opkg.stderr")
 	local o = fs.readfile("/tmp/opkg.stdout")
@@ -74,17 +76,17 @@ local function _parselist(rawdata)
 end
 
 -- Internal lookup function
-local function _lookup(act, pkg)
-	local cmd = ipkg .. " " .. act
+local function _lookup(cmd, pkg)
+	local cmdline = { ipkg, cmd }
 	if pkg then
-		cmd = cmd .. " '" .. pkg:gsub("'", "") .. "'"
+		cmdline[#cmdline+1] = util.shellquote(pkg)
 	end
 
 	-- OPKG sometimes kills the whole machine because it sucks
 	-- Therefore we have to use a sucky approach too and use
 	-- tmpfiles instead of directly reading the output
 	local tmpfile = os.tmpname()
-	os.execute(cmd .. (" >%s 2>/dev/null" % tmpfile))
+	os.execute("%s >%s 2>/dev/null" %{ table.concat(cmdline, " "), tmpfile })
 
 	local data = _parselist(io.lines(tmpfile))
 	os.remove(tmpfile)
@@ -123,9 +125,12 @@ end
 
 -- List helper
 local function _list(action, pat, cb)
-	local fd = io.popen(ipkg .. " " .. action ..
-		(pat and (" '%s'" % pat:gsub("'", "")) or ""))
+	local cmdline = { ipkg, action }
+	if pat then
+		cmdline[#cmdline+1] = util.shellquote(pat)
+	end
 
+	local fd = io.popen(table.concat(cmdline, " "))
 	if fd then
 		local name, version, sz, desc
 		while true do
-- 
cgit v1.2.3