From: Jo-Philipp Wich <jo@mein.io>
Date: Wed, 4 Apr 2018 22:32:28 +0000 (+0200)
Subject: luci-base: fix possible shell injection in luci.tools.status.switch_status()
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=9db5fa93afdbb4667e523cba0e6bde4e73a01150;p=oweals%2Fluci.git

luci-base: fix possible shell injection in luci.tools.status.switch_status()

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/modules/luci-base/luasrc/tools/status.lua b/modules/luci-base/luasrc/tools/status.lua
index 501211181..1c4038735 100644
--- a/modules/luci-base/luasrc/tools/status.lua
+++ b/modules/luci-base/luasrc/tools/status.lua
@@ -187,7 +187,7 @@ function switch_status(devs)
 	local switches = { }
 	for dev in devs:gmatch("[^%s,]+") do
 		local ports = { }
-		local swc = io.popen("swconfig dev %q show" % dev, "r")
+		local swc = io.popen("swconfig dev '%s' show" % dev:gsub("'", ""), "r")
 		if swc then
 			local l
 			repeat