Skip to content

Commit

Permalink
luci-mod-admin-full: fix possible shell injection in bandwith status
Browse files Browse the repository at this point in the history 
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
  • Loading branch information
@jow-
jow- committed Apr 4, 2018
1 parent 9db5fa9 commit 9e4b8a9
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions modules/luci-mod-admin-full/luasrc/controller/admin/status.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ end
function action_bandwidth(iface)
luci.http.prepare_content("application/json")

local bwc = io.popen("luci-bwc -i %q 2>/dev/null" % iface)
local bwc = io.popen("luci-bwc -i '%s' 2>/dev/null" % iface:gsub("'", ""))
if bwc then
luci.http.write("[")

Expand All @@ -80,7 +80,7 @@ end
function action_wireless(iface)
luci.http.prepare_content("application/json")

local bwc = io.popen("luci-bwc -r %q 2>/dev/null" % iface)
local bwc = io.popen("luci-bwc -r '%s' 2>/dev/null" % iface:gsub("'", ""))
if bwc then
luci.http.write("[")

Expand Down

1 comment on commit 9e4b8a9

@peterwillcn
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://www.cvedetails.com/cve/CVE-2019-12272/

Please sign in to comment.