Skip to content
Permalink
Browse files

luci-mod-admin-full: fix possible shell injection in bandwith status

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
  • Loading branch information...
jow- committed Apr 4, 2018
1 parent 9db5fa9 commit 9e4b8a91384562e3baee724a52b72e30b1aa006d
Showing with 2 additions and 2 deletions.
  1. +2 −2 modules/luci-mod-admin-full/luasrc/controller/admin/status.lua
@@ -62,7 +62,7 @@ end
function action_bandwidth(iface)
luci.http.prepare_content("application/json")

local bwc = io.popen("luci-bwc -i %q 2>/dev/null" % iface)
local bwc = io.popen("luci-bwc -i '%s' 2>/dev/null" % iface:gsub("'", ""))
if bwc then
luci.http.write("[")

@@ -80,7 +80,7 @@ end
function action_wireless(iface)
luci.http.prepare_content("application/json")

local bwc = io.popen("luci-bwc -r %q 2>/dev/null" % iface)
local bwc = io.popen("luci-bwc -r '%s' 2>/dev/null" % iface:gsub("'", ""))
if bwc then
luci.http.write("[")

1 comment on commit 9e4b8a9

@peterwillcn

This comment has been minimized.

Please sign in to comment.
You can’t perform that action at this time.