From f73da9ca82ff8e0352c3942ea78ab7d1d0317668 Mon Sep 17 00:00:00 2001
From: Dirk Brenken <dev@brenken.org>
Date: Sat, 29 Jun 2019 19:26:07 +0200
Subject: [PATCH] system-wide: fix escaping of magic chars

* fix escaping of magic lua chars (#2800)
* fix redundant second gsub line in shellstartsqescape function
* fix return value of shellstartsqescape function

Signed-off-by: Dirk Brenken <dev@brenken.org>
---
 .../luci-app-ocserv/luasrc/model/cbi/ocserv/users.lua        | 2 +-
 modules/luci-base/luasrc/cbi/datatypes.lua                   | 2 +-
 modules/luci-base/luasrc/util.lua                            | 5 ++---
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/applications/luci-app-ocserv/luasrc/model/cbi/ocserv/users.lua b/applications/luci-app-ocserv/luasrc/model/cbi/ocserv/users.lua
index 0fa997c8b..3736471f5 100644
--- a/applications/luci-app-ocserv/luasrc/model/cbi/ocserv/users.lua
+++ b/applications/luci-app-ocserv/luasrc/model/cbi/ocserv/users.lua
@@ -26,7 +26,7 @@ pwd.password = false
 
 function pwd.write(self, section, value)
 	local pass
-	if string.match(value, "^\$%d\$.*") then
+	if string.match(value, "^%$%d%$.*") then
 		pass = value
 	else
 		local t = tonumber(nixio.getpid()*os.time())
diff --git a/modules/luci-base/luasrc/cbi/datatypes.lua b/modules/luci-base/luasrc/cbi/datatypes.lua
index 33d018d2d..c1cf01f9c 100644
--- a/modules/luci-base/luasrc/cbi/datatypes.lua
+++ b/modules/luci-base/luasrc/cbi/datatypes.lua
@@ -418,7 +418,7 @@ function maxlength(val, max)
 end
 
 function phonedigit(val)
-	return (val:match("^[0-9\*#!%.]+$") ~= nil)
+	return (val:match("^[0-9%*#!%.]+$") ~= nil)
 end
 
 function timehhmmss(val)
diff --git a/modules/luci-base/luasrc/util.lua b/modules/luci-base/luasrc/util.lua
index 1a329f3f2..a30e8b72f 100644
--- a/modules/luci-base/luasrc/util.lua
+++ b/modules/luci-base/luasrc/util.lua
@@ -207,9 +207,8 @@ end
 -- handling.  It may actually be a property of the getopt function
 -- rather than the shell proper.
 function shellstartsqescape(value)
-   res, _ = string.gsub(value, "^\-", "\\-")
-   res, _ = string.gsub(res, "^-", "\-")
-   return shellsqescape(value)
+   res, _ = string.gsub(value, "^%-", "\\-")
+   return shellsqescape(res)
 end
 
 -- containing the resulting substrings. The optional max parameter specifies
-- 
2.25.1