Skip to content

Commit

Permalink
fix: direct mode allows injecting unauthorized filesystem operations
Browse files Browse the repository at this point in the history
  • Loading branch information
@wodny
wodny committed Oct 27, 2015
1 parent cce7db5 commit c4f4ac3
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions default-direct.lua
View file
Expand Up @@ -109,13 +109,13 @@ direct.action = function(inlet)
error('Refusing to erase your harddisk!')
end

local command = '/bin/mv $1 $2 || /bin/rm -rf $1'
local command = '/bin/mv "$1" "$2" || /bin/rm -rf "$1"'

if
config.delete ~= true and
config.delete ~= 'running'
then
command = '/bin/mv $1 $2'
command = '/bin/mv "$1" "$2"'
end

spawnShell(
Expand Down

0 comments on commit c4f4ac3

Please sign in to comment.