From 9db5fa93afdbb4667e523cba0e6bde4e73a01150 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 5 Apr 2018 00:32:28 +0200 Subject: luci-base: fix possible shell injection in luci.tools.status.switch_status() Signed-off-by: Jo-Philipp Wich --- modules/luci-base/luasrc/tools/status.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/luci-base/luasrc') diff --git a/modules/luci-base/luasrc/tools/status.lua b/modules/luci-base/luasrc/tools/status.lua index 5012111815..1c4038735f 100644 --- a/modules/luci-base/luasrc/tools/status.lua +++ b/modules/luci-base/luasrc/tools/status.lua @@ -187,7 +187,7 @@ function switch_status(devs) local switches = { } for dev in devs:gmatch("[^%s,]+") do local ports = { } - local swc = io.popen("swconfig dev %q show" % dev, "r") + local swc = io.popen("swconfig dev '%s' show" % dev:gsub("'", ""), "r") if swc then local l repeat -- cgit v1.2.3