From 101ea169c6af90c0aeaff6655b906b6d40155924 Mon Sep 17 00:00:00 2001
From: Tom Haley <this_username_has_been_taken2@proton.me>
Date: Wed, 4 Dec 2024 22:19:25 +0300
Subject: [PATCH] luci-proto-wireguard: fixed a vulnerability in the
 checkPeerHost method

shellquote method is introduced so an injected code cannot be executed by the popen command.

Signed-off-by: Tom Haley <this_username_has_been_taken2@proton.me>
---
 .../root/usr/share/rpcd/ucode/luci.wireguard                    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/protocols/luci-proto-wireguard/root/usr/share/rpcd/ucode/luci.wireguard b/protocols/luci-proto-wireguard/root/usr/share/rpcd/ucode/luci.wireguard
index 5ffcfd85a2..4d2a5912b7 100644
--- a/protocols/luci-proto-wireguard/root/usr/share/rpcd/ucode/luci.wireguard
+++ b/protocols/luci-proto-wireguard/root/usr/share/rpcd/ucode/luci.wireguard
@@ -16,7 +16,7 @@ function command(cmd) {
 }
 
 function checkPeerHost(configHost, configPort, wgHost) {
-	const ips = popen(`resolveip ${configHost} 2>/dev/null`);
+	const ips = popen(`resolveip ${shellquote(configHost)} 2>/dev/null`);
 	const hostIp = replace(wgHost, /\[|\]/g, "");
 	if (ips) {
 		for (let line = ips.read('line'); length(line); line = ips.read('line')) {
-- 
2.30.2