luci-base: fix possible shell injection in luci.tools.status.switch_status()

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-05 00:32:28 +02:00 · 2018-04-05 00:32:28 +02:00 · 9db5fa93af
commit 9db5fa93af
parent 186e690c08
1 changed files with 1 additions and 1 deletions
--- a/modules/luci-base/luasrc/tools/status.lua
+++ b/modules/luci-base/luasrc/tools/status.lua
@ -187,7 +187,7 @@ function switch_status(devs)
 	local switches = { }
 	for dev in devs:gmatch("[^%s,]+") do
 		local ports = { }
-		local swc = io.popen("swconfig dev %q show" % dev, "r")
+		local swc = io.popen("swconfig dev '%s' show" % dev:gsub("'", ""), "r")
 		if swc then
 			local l
 			repeat