From f400982da4326d283cb09b764c78a198fdc58030 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Wed, 18 Dec 2019 21:22:06 +0100 Subject: [PATCH] luci-base: fs.js: properly escape arguments in exec_direct() Signed-off-by: Jo-Philipp Wich (cherry picked from commit e884b63916ebf6d1a7e4f7c92240a76964ecaa85) --- modules/luci-base/htdocs/luci-static/resources/fs.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/luci-base/htdocs/luci-static/resources/fs.js b/modules/luci-base/htdocs/luci-static/resources/fs.js index 612d4eb0f5..e1bf4f874a 100644 --- a/modules/luci-base/htdocs/luci-static/resources/fs.js +++ b/modules/luci-base/htdocs/luci-static/resources/fs.js @@ -374,11 +374,13 @@ var FileSystem = L.Class.extend(/** @lends LuCI.fs.prototype */ { * rejecting with an error stating the failure reason. */ exec_direct: function(command, params) { - var cmdstr = command; + var cmdstr = String(command) + .replace(/\\/g, '\\\\').replace(/(\s)/g, '\\$1'); if (Array.isArray(params)) for (var i = 0; i < params.length; i++) - cmdstr += ' ' + params[i]; + cmdstr += ' ' + String(params[i]) + .replace(/\\/g, '\\\\').replace(/(\s)/g, '\\$1'); var postdata = 'sessionid=%s&command=%s' .format(encodeURIComponent(L.env.sessionid), encodeURIComponent(cmdstr)); -- 2.30.2