From c0d9c4f3ce7bda19081d0da01a599bec067338a3 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Thu, 5 Apr 2018 09:32:22 +0200
Subject: treewide: filter shell arguments through shellquote() where
 applicable

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 modules/luci-base/luasrc/sys.lua | 23 ++++++++---------------
 1 file changed, 8 insertions(+), 15 deletions(-)

(limited to 'modules/luci-base/luasrc/sys.lua')

diff --git a/modules/luci-base/luasrc/sys.lua b/modules/luci-base/luasrc/sys.lua
index 12b20e4c3..823e20770 100644
--- a/modules/luci-base/luasrc/sys.lua
+++ b/modules/luci-base/luasrc/sys.lua
@@ -87,10 +87,10 @@ end
 function httpget(url, stream, target)
 	if not target then
 		local source = stream and io.popen or luci.util.exec
-		return source("wget -qO- '"..url:gsub("'", "").."'")
+		return source("wget -qO- %s" % luci.util.shellquote(url))
 	else
-		return os.execute("wget -qO '%s' '%s'" %
-			{target:gsub("'", ""), url:gsub("'", "")})
+		return os.execute("wget -qO %s %s" %
+			{luci.util.shellquote(target), luci.util.shellquote(url)})
 	end
 end
 
@@ -443,18 +443,11 @@ function user.checkpasswd(username, pass)
 end
 
 function user.setpasswd(username, password)
-	if password then
-		password = password:gsub("'", [['"'"']])
-	end
-
-	if username then
-		username = username:gsub("'", [['"'"']])
-	end
-
-	return os.execute(
-		"(echo '" .. password .. "'; sleep 1; echo '" .. password .. "') | " ..
-		"passwd '" .. username .. "' >/dev/null 2>&1"
-	)
+	return os.execute("(echo %s; sleep 1; echo %s) | passwd %s >/dev/null 2>&1" %{
+		luci.util.shellquote(password),
+		luci.util.shellquote(password),
+		luci.util.shellquote(username)
+	})
 end
 
 
-- 
cgit v1.2.3