From: Tom Haley <this_username_has_been_taken2@proton.me>
Date: Wed, 4 Dec 2024 19:19:25 +0000 (+0300)
Subject: luci-proto-wireguard: fixed a vulnerability in the checkPeerHost method
X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=101ea169c6af90c0aeaff6655b906b6d40155924;p=project%2Fluci.git

luci-proto-wireguard: fixed a vulnerability in the checkPeerHost method

shellquote method is introduced so an injected code cannot be executed by the popen command.

Signed-off-by: Tom Haley <this_username_has_been_taken2@proton.me>
---

diff --git a/protocols/luci-proto-wireguard/root/usr/share/rpcd/ucode/luci.wireguard b/protocols/luci-proto-wireguard/root/usr/share/rpcd/ucode/luci.wireguard
index 5ffcfd85a2..4d2a5912b7 100644
--- a/protocols/luci-proto-wireguard/root/usr/share/rpcd/ucode/luci.wireguard
+++ b/protocols/luci-proto-wireguard/root/usr/share/rpcd/ucode/luci.wireguard
@@ -16,7 +16,7 @@ function command(cmd) {
 }
 
 function checkPeerHost(configHost, configPort, wgHost) {
-	const ips = popen(`resolveip ${configHost} 2>/dev/null`);
+	const ips = popen(`resolveip ${shellquote(configHost)} 2>/dev/null`);
 	const hostIp = replace(wgHost, /\[|\]/g, "");
 	if (ips) {
 		for (let line = ips.read('line'); length(line); line = ips.read('line')) {