Introduce a new function luci.util.shellquote() which encloses the given
string argument in single quotes and escapes any embedded single quote
characters.
This function is intended to be used when interpolating untrusted input
into shell commands.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
return value and tparser.striptags(tostring(value))
end
return value and tparser.striptags(tostring(value))
end
+function shellquote(value)
+ return string.format("'%s'", string.gsub(value or "", "'", "'\\''"))
+end
+
-- for bash, ash and similar shells single-quoted strings are taken
-- literally except for single quotes (which terminate the string)
-- (and the exception noted below for dash (-) at the start of a
-- for bash, ash and similar shells single-quoted strings are taken
-- literally except for single quotes (which terminate the string)
-- (and the exception noted below for dash (-) at the start of a
if not haveldd or not haveexe then
return false
end
if not haveldd or not haveexe then
return false
end
- local libs = exec("/usr/bin/ldd " .. fullpathexe)
+ local libs = exec(string.format("/usr/bin/ldd %s", shellquote(fullpathexe)))
if not libs then
return false
end
if not libs then
return false
end
@return String with HTML tags stripped of
]]
@return String with HTML tags stripped of
]]
+---[[
+Safely quote value for use in shell commands.
+
+@class function
+@name shellquote
+@param value String containing the value to quote
+@return Single-quote enclosed string with embedded quotes escaped
+]]
+
---[[
Splits given string on a defined separator sequence and return a table
---[[
Splits given string on a defined separator sequence and return a table