From 3fe565d231f597fe6eeaa0cc6923a95f1398cf33 Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Wed, 21 Jan 2009 22:04:37 +0000
Subject: Added escapespecialcharacters to format.lua to escape shell special
 characters.  Reviewed all calls to io.popen and os.execute to escape special
 characters.  Fixed file uploads in openssl and ipsectools with
 viewfunctions.lua.  Tried to fix openssl renew when subject contains special
 characters, but not done yet.

git-svn-id: svn://svn.alpinelinux.org/acf/iptables/trunk@1687 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 iptables-model.lua | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

(limited to 'iptables-model.lua')

diff --git a/iptables-model.lua b/iptables-model.lua
index cad707a..0447e41 100644
--- a/iptables-model.lua
+++ b/iptables-model.lua
@@ -260,7 +260,7 @@ function update_chain(chain)
 
 	if success then
 		if chain.value.policy then
-			local cmd = path .. "iptables -t "..chain.value.table.value.." -P "..chain.value.chain.value.." "..chain.value.policy.value.." 2>&1"
+			local cmd = path .. "iptables -t "..format.escapespecialcharacters(chain.value.table.value).." -P "..format.escapespecialcharacters(chain.value.chain.value).." "..format.escapespecialcharacters(chain.value.policy.value).." 2>&1"
 			local f = io.popen(cmd)
 			local errtxt = f:read("*a")
 			f:close()
@@ -292,7 +292,7 @@ function create_chain(chain)
 	end
 
 	if success then
-		local cmd = path .. "iptables -t "..chain.value.table.value.." -N "..chain.value.chain.value.." 2>&1"
+		local cmd = path .. "iptables -t "..format.escapespecialcharacters(chain.value.table.value).." -N "..format.escapespecialcharacters(chain.value.chain.value).." 2>&1"
 		local f = io.popen(cmd)
 		local errtxt = f:read("*a")
 		if errtxt ~= "" then
@@ -318,7 +318,7 @@ function delete_chain(tab, chain)
 	elseif chn.references and tonumber(chn.references) > 0 then
 		retval.errtxt = "Cannot delete chain with references"
 	else
-		local cmd = path .. "iptables -t "..tab.." -X "..chain.." 2>&1"
+		local cmd = path .. "iptables -t "..format.escapespecialcharacters(tab).." -X "..format.escapespecialcharacters(chain).." 2>&1"
 		local f = io.popen(cmd)
 		local errtxt = f:read("*a")
 		if errtxt ~= "" then
@@ -488,13 +488,13 @@ function create_rule(rule)
 
 	if success then
 		local spec = generate_rule_specification(rule)
-		local cmd = path .. "iptables -t " .. rule.value.table.value
-		if rule.value.position.value ~= "" then
-			cmd = cmd .. " -I " .. rule.value.chain.value .. " " .. rule.value.position.value
+		local cmd = path .. "iptables -t " .. format.escapespecialcharacters(rule.value.table.value)
+		if tonumber(rule.value.position.value) then
+			cmd = cmd .. " -I " .. format.escapespecialcharacters(rule.value.chain.value) .. " " .. format.escapespecialcharacters(rule.value.position.value)
 		else
-			cmd = cmd .. " -A " .. rule.value.chain.value
+			cmd = cmd .. " -A " .. format.escapespecialcharacters(rule.value.chain.value)
 		end
-		cmd = cmd .. " " .. spec .. " 2>&1"
+		cmd = cmd .. " " .. format.escapespecialcharacters(spec) .. " 2>&1"
 		local f = io.popen(cmd)
 		rule.errtxt = f:read("*a")
 		f:close()
@@ -510,14 +510,14 @@ end
 
 function update_rule(rule)
 	local success, rule = validate_rule(rule)
-	if rule.value.position.value == "" then
-		rule.value.position.errtxt = "Cannot be empty"
-		successs = false
+	if not tonumber(rule.value.position.value) then
+		rule.value.position.errtxt = "Must be a number"
+		success = false
 	end
 
 	if success then
 		local spec = generate_rule_specification(rule)
-		local cmd = path .. "iptables -t " .. rule.value.table.value .. " -R " .. rule.value.chain.value .. " " .. rule.value.position.value .. " " .. spec .. " 2>&1"
+		local cmd = path .. "iptables -t " .. format.escapespecialcharacters(rule.value.table.value) .. " -R " .. format.escapespecialcharacters(rule.value.chain.value) .. " " .. format.escapespecialcharacters(rule.value.position.value) .. " " .. format.escapespecialcharacters(spec) .. " 2>&1"
 		local f = io.popen(cmd)
 		rule.errtxt = f:read("*a")
 		f:close()
@@ -536,7 +536,7 @@ function delete_rule(tab, chain, pos)
 	if not tab or not chain or not pos then
 		cmdresult.errtxt = "Incomplete specification - must define table, chain, and position"
 	else
-		local cmd = path .. "iptables -t " .. tab .. " -D " .. chain .. " " .. pos
+		local cmd = path .. "iptables -t " .. format.escapespecialcharacters(tab) .. " -D " .. format.escapespecialcharacters(chain) .. " " .. format.escapespecialcharacters(pos)
 		local f = io.popen(cmd)
 		cmdresult.value = f:read("*a")
 		f:close()
-- 
cgit v1.2.3