From: Jo-Philipp Wich <jo@mein.io>
Date: Wed, 18 Dec 2019 20:22:06 +0000 (+0100)
Subject: luci-base: fs.js: properly escape arguments in exec_direct()
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=e884b63916ebf6d1a7e4f7c92240a76964ecaa85;p=oweals%2Fluci.git

luci-base: fs.js: properly escape arguments in exec_direct()

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/modules/luci-base/htdocs/luci-static/resources/fs.js b/modules/luci-base/htdocs/luci-static/resources/fs.js
index 612d4eb0f..e1bf4f874 100644
--- a/modules/luci-base/htdocs/luci-static/resources/fs.js
+++ b/modules/luci-base/htdocs/luci-static/resources/fs.js
@@ -374,11 +374,13 @@ var FileSystem = L.Class.extend(/** @lends LuCI.fs.prototype */ {
 	 * rejecting with an error stating the failure reason.
 	 */
 	exec_direct: function(command, params) {
-		var cmdstr = command;
+		var cmdstr = String(command)
+			.replace(/\\/g, '\\\\').replace(/(\s)/g, '\\$1');
 
 		if (Array.isArray(params))
 			for (var i = 0; i < params.length; i++)
-				cmdstr += ' ' + params[i];
+				cmdstr += ' ' + String(params[i])
+					.replace(/\\/g, '\\\\').replace(/(\s)/g, '\\$1');
 
 		var postdata = 'sessionid=%s&command=%s'
 			.format(encodeURIComponent(L.env.sessionid), encodeURIComponent(cmdstr));