luci-base: introduce luci.util.shellquote()

Introduce a new function luci.util.shellquote() which encloses the given string argument in single quotes and escapes any embedded single quote characters. This function is intended to be used when interpolating untrusted input into shell commands. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05 09:29:38 +02:00 · 2018-04-05 09:29:38 +02:00 · 45cefe71f6
commit 45cefe71f6
parent 9e4b8a9138
2 changed files with 14 additions and 1 deletions
--- a/modules/luci-base/luasrc/util.lua
+++ b/modules/luci-base/luasrc/util.lua
@ -164,6 +164,10 @@ function striptags(value)
 	return value and tparser.striptags(tostring(value))
 end

+function shellquote(value)
+	return string.format("'%s'", string.gsub(value or "", "'", "'\\''"))
+end
+
 -- for bash, ash and similar shells single-quoted strings are taken
 -- literally except for single quotes (which terminate the string)
 -- (and the exception noted below for dash (-) at the start of a
@ -656,7 +660,7 @@ function checklib(fullpathexe, wantedlib)
 	if not haveldd or not haveexe then
 		return false
 	end
-	local libs = exec("/usr/bin/ldd " .. fullpathexe)
+	local libs = exec(string.format("/usr/bin/ldd %s", shellquote(fullpathexe)))
 	if not libs then
 		return false
 	end
--- a/modules/luci-base/luasrc/util.luadoc
+++ b/modules/luci-base/luasrc/util.luadoc
@ -82,6 +82,15 @@ Strip HTML tags from given string.
@return	String with HTML tags stripped of
 ]]

+---[[
+Safely quote value for use in shell commands.
+
+@class function
+@name shellquote
+@param value  String containing the value to quote
+@return Single-quote enclosed string with embedded quotes escaped
+]]
+
 ---[[
 Splits given string on a defined separator sequence and return a table