Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

luci-mod-admin-full: fix possible shell injection in bandwith status

Browse source 
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit is contained in:
Jo-Philipp Wich 2018-04-05 00:33:09 +02:00
parent 9db5fa93af
commit 9e4b8a9138
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
modules/luci-mod-admin-full/luasrc/controller/admin/status.lua
View file

@ -62,7 +62,7 @@ end
function action_bandwidth(iface)
luci.http.prepare_content("application/json")
local bwc = io.popen("luci-bwc -i %q 2>/dev/null" % iface)
local bwc = io.popen("luci-bwc -i '%s' 2>/dev/null" % iface:gsub("'", ""))
if bwc then
luci.http.write("[")
@ -80,7 +80,7 @@ end
function action_wireless(iface)
luci.http.prepare_content("application/json")
local bwc = io.popen("luci-bwc -r %q 2>/dev/null" % iface)
local bwc = io.popen("luci-bwc -r '%s' 2>/dev/null" % iface:gsub("'", ""))
if bwc then
luci.http.write("[")