luci-base: fs.js: properly escape arguments in exec_direct()
authorJo-Philipp Wich <jo@mein.io>
Wed, 18 Dec 2019 20:22:06 +0000 (21:22 +0100)
committerJo-Philipp Wich <jo@mein.io>
Sun, 19 Jan 2020 19:13:39 +0000 (20:13 +0100)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit e884b63916ebf6d1a7e4f7c92240a76964ecaa85)

modules/luci-base/htdocs/luci-static/resources/fs.js

index 612d4eb0f58545de135a7bbfc15ab920d4cac364..e1bf4f874afbbace912857ea6f7882342afe0525 100644 (file)
@@ -374,11 +374,13 @@ var FileSystem = L.Class.extend(/** @lends LuCI.fs.prototype */ {
         * rejecting with an error stating the failure reason.
         */
        exec_direct: function(command, params) {
-               var cmdstr = command;
+               var cmdstr = String(command)
+                       .replace(/\\/g, '\\\\').replace(/(\s)/g, '\\$1');
 
                if (Array.isArray(params))
                        for (var i = 0; i < params.length; i++)
-                               cmdstr += ' ' + params[i];
+                               cmdstr += ' ' + String(params[i])
+                                       .replace(/\\/g, '\\\\').replace(/(\s)/g, '\\$1');
 
                var postdata = 'sessionid=%s&command=%s'
                        .format(encodeURIComponent(L.env.sessionid), encodeURIComponent(cmdstr));