diff options
| -rw-r--r-- | acf-hooks.lua | 3 | ||||
| -rw-r--r-- | lib/format.lua | 12 | ||||
| -rw-r--r-- | lib/fs.lua | 11 | ||||
| -rw-r--r-- | lib/html.lua | 2 | ||||
| -rw-r--r-- | lib/menubuilder.lua | 4 | ||||
| -rw-r--r-- | lib/processinfo.lua | 21 | ||||
| -rw-r--r-- | lib/roles.lua | 2 | ||||
| -rw-r--r-- | lib/viewfunctions.lua | 6 |
8 files changed, 39 insertions, 22 deletions
diff --git a/acf-hooks.lua b/acf-hooks.lua index 41119bf..bae047e 100644 --- a/acf-hooks.lua +++ b/acf-hooks.lua @@ -15,12 +15,13 @@ -- self, CONFFILE, and TEMPFILE -- Example of a general logging function +require("format") local precommit=function(self, conf, temp) local logfile = "/var/log/acf-" .. self.conf.controller .. ".log" fs.write_line_file (logfile, "#---- BEGIN TRANSACTION - " .. os.date() .. "\n" .. self.sessiondata.userinfo.userid .. " modifed " .. conf .. " as follows:") - os.execute ("diff -u " .. conf .. " " .. temp .. " >>" .. logfile) + os.execute ("diff -u " .. format.escapespecialcharacters(conf) .. " " .. format.escapespecialcharacters(temp) .. " >>" .. format.escapespecialcharacters(logfile)) fs.write_line_file (logfile, "\n#---- END TRANSACTION -") end diff --git a/lib/format.lua b/lib/format.lua index 6ef831a..331d112 100644 --- a/lib/format.lua +++ b/lib/format.lua @@ -13,8 +13,14 @@ function dostounix ( str ) return data end +-- Escape Lua magic characters function escapemagiccharacters ( str ) - return string.gsub(str, "[%(%)%.%%%+%-%*%?%[%]%^%$]", "%%%1") + return (string.gsub(str or "", "[%(%)%.%%%+%-%*%?%[%]%^%$]", "%%%1")) +end + +-- Escape shell special characters +function escapespecialcharacters ( str ) + return (string.gsub(str or "", "[~`#%$&%*%(%)\\|%[%]{};\'\"<>/]", "\\%1")) end -- search and remove all blank and commented lines from a string or table of lines @@ -182,7 +188,7 @@ function string_to_table ( text, delimiter) end function md5sum_string ( str) - cmd = "/bin/echo -n " .. str .. "|/usr/bin/md5sum|cut -f 1 -d \" \" " + local cmd = "/bin/echo -n \"" .. format.escapespecialcharacters(str) .. "\"|/usr/bin/md5sum|cut -f 1 -d \" \" " f = io.popen(cmd) local checksum = {} for line in f:lines() do @@ -207,7 +213,7 @@ expand_bash_syntax_vars = function (str) for w in string.gmatch (str, "${[^}]*}" ) do local rvar = string.sub(w,3,-2) local rval = ( deref(rvar) or "nil" ) - str = string.gsub (str, w, rval) + str = string.gsub (str, w, escapespecialcharacters(rval)) end return (str) @@ -7,7 +7,8 @@ module (..., package.seeall) -require ("posix") +require("posix") +require("format") basename = function (string, suffix) string = string or "" @@ -43,7 +44,7 @@ end -- Creates a directory if it doesn't exist function create_directory ( path ) - local cmd = "mkdir -p "..(path or "") + local cmd = "mkdir -p " .. format.escapespecialcharacters(path) local f = io.popen(cmd) f:close() return is_dir(path) @@ -53,7 +54,7 @@ end function create_file ( path ) path = path or "" if dirname(path) and not posix.stat(dirname(path)) then create_directory(dirname(path)) end - local cmd = "touch "..path + local cmd = "touch "..format.escapespecialcharacters(path) local f = io.popen(cmd) f:close() return is_file(path) @@ -116,9 +117,9 @@ end --will return a string with md5sum and filename function md5sum_file ( path ) - cmd = "/usr/bin/md5sum " .. (path or "") + local cmd = "/usr/bin/md5sum "..format.escapespecialcharacters(path) f = io.popen(cmd) - checksum = f:read("*a") + local checksum = f:read("*a") f:close() return checksum end diff --git a/lib/html.lua b/lib/html.lua index 4dac45f..b27bcf1 100644 --- a/lib/html.lua +++ b/lib/html.lua @@ -41,7 +41,7 @@ function html_escape (text ) str = string.gsub (str, "<", "<" ) str = string.gsub (str, ">", ">" ) str = string.gsub (str, "'", "'" ) - return string.gsub (str, '"', """ ) + return (string.gsub (str, '"', """ )) end -- return a name,value pair as a string. diff --git a/lib/menubuilder.lua b/lib/menubuilder.lua index c7ff075..4105db6 100644 --- a/lib/menubuilder.lua +++ b/lib/menubuilder.lua @@ -5,12 +5,14 @@ ]]-- module(..., package.seeall) +require("format") + -- returns a table of the "*.menu" tables -- uses the system "find" command -- startdir should be the app dir. local get_candidates = function (startdir) local t = {} - local fh = io.popen('find ' .. startdir .. ' -name "*.menu"') + local fh = io.popen('find ' .. format.escapespecialcharacters(startdir) .. ' -name "*.menu"') for x in fh:lines() do t[#t + 1] = x end diff --git a/lib/processinfo.lua b/lib/processinfo.lua index 736cfd2..bc8c5dd 100644 --- a/lib/processinfo.lua +++ b/lib/processinfo.lua @@ -1,14 +1,15 @@ module(..., package.seeall) -require("fs") require("posix") +require("fs") +require("format") local path = "PATH=/usr/bin:/bin:/usr/sbin:/sbin " function package_version(packagename) local cmderrors - local f = io.popen( "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin apk_version -vs " .. packagename .." | egrep -v 'acf' 2>/dev/null" ) + local f = io.popen( "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin apk_version -vs " .. format.escapespecialcharacters(packagename) .." | egrep -v 'acf' 2>/dev/null" ) local cmdresult = f:read("*l") if (cmdresult) and (#cmdresult > 0) then cmdresult = (string.match(cmdresult,"^%S*") or "Unknown") @@ -21,7 +22,7 @@ end function process_startupsequence(servicename) local cmderrors - local f = io.popen( "/sbin/rc_status | egrep '^S' | egrep '" .. servicename .."' 2>/dev/null" ) + local f = io.popen( "/sbin/rc_status | egrep '^S' | egrep \"" .. format.escapespecialcharacters(servicename) .."\" 2>/dev/null" ) local cmdresult = f:read("*a") if (cmdresult) and (#cmdresult > 0) then cmdresult = "Service will autostart at next boot (at sequence '" .. string.match(cmdresult,"^%a+(%d%d)") .. "')" @@ -78,8 +79,8 @@ function add_startupsequence(servicename, sequence, kill, system) local cmd = {path, "rc_add"} if kill then cmd[#cmd+1] = "-k" end if system then cmd[#cmd+1] = "-S" end - if sequence then cmd[#cmd+1] = "-s "..sequence end - cmd[#cmd+1] = servicename + if sequence and tonumber(sequence) then cmd[#cmd+1] = "-s "..sequence end + cmd[#cmd+1] = format.escapespecialcharacters(servicename) cmd[#cmd+1] = "2>&1" delete_startupsequence(servicename) local f = io.popen(table.concat(cmd, " ")) @@ -96,7 +97,7 @@ function delete_startupsequence(servicename) if not servicename then cmderrors = "Invalid service name" else - local f = io.popen(path.."rc_delete "..servicename) + local f = io.popen(path.."rc_delete "..format.escapespecialcharacters(servicename)) cmdresult = f:read("*a") f:close() if cmdresult == "" then cmderrors = "Failed to delete sequence" end @@ -108,9 +109,11 @@ end function daemoncontrol (process, action) local cmdresult = "" local cmderrors - if (string.lower(action) == "start") or (string.lower(action) == "stop") or (string.lower(action) == "restart") then + if not process then + cmderrors = "Invalid service name" + elseif (string.lower(action) == "start") or (string.lower(action) == "stop") or (string.lower(action) == "restart") then local file = io.popen( "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin /etc/init.d/" .. - process .. " " .. string.lower(action) .. " 2>&1" ) + format.escapespecialcharacters(process) .. " " .. string.lower(action) .. " 2>&1" ) if file ~= nil then cmdresult = file:read( "*a" ) file:close() @@ -180,7 +183,7 @@ end local function has_pidfile(name) local pid - local f = io.popen(path .. "find /var/run/ -name "..name..".pid") + local f = io.popen(path .. "find /var/run/ -name "..format.escapespecialcharacters(name)..".pid") local file = f:read("*a") f:close() if file and string.find(file, "%w") then diff --git a/lib/roles.lua b/lib/roles.lua index b828458..e57490e 100644 --- a/lib/roles.lua +++ b/lib/roles.lua @@ -12,7 +12,7 @@ guest_role = "GUEST" -- startdir should be the app dir local get_roles_candidates = function (startdir) local t = {} - local fh = io.popen('find ' .. startdir .. ' -name "*.roles"') + local fh = io.popen('find ' .. format.escapespecialcharacters(startdir) .. ' -name "*.roles"') for x in fh:lines() do t[#t + 1] = x end diff --git a/lib/viewfunctions.lua b/lib/viewfunctions.lua index f1c5436..cee6db6 100644 --- a/lib/viewfunctions.lua +++ b/lib/viewfunctions.lua @@ -175,7 +175,11 @@ function displayformstart(myform, page_info) end if myform.descr then io.write('<P CLASS="descr">' .. string.gsub(html.html_escape(myform.descr), "\n", "<BR>") .. "</P>\n") end if myform.errtxt then io.write('<P CLASS="error">' .. string.gsub(html.html_escape(myform.errtxt), "\n", "<BR>") .. "</P>\n") end - io.write('<form action="' .. html.html_escape(myform.action) .. '" method="POST">\n') + io.write('<form action="' .. html.html_escape(myform.action) .. '" ') + if myform.enctype and myform.enctype ~= "" then + io.write('enctype="'..html.html_escape(myform.enctype)..'" ') + end + io.write('method="POST">\n') if myform.value.redir then displayformitem(myform.value.redir, "redir") end |