Added security against code-injection

git-svn-id: svn://svn.alpinelinux.org/acf/alpine-baselayout/trunk@443 ab2d0c66-481e-0410-8bed-d214d4d58bed

1 files changed, 9 insertions, 22 deletions

diff --git a/skins-model.lua b/skins-model.lua
index dc9d5fb..41000b1 100644
--- a/skins-model.lua
+++ b/skins-model.lua
@@ -4,24 +4,10 @@ module (..., package.seeall)
 -- no initializer in model - use controller.init for that
 
 local function set_skins(skin)
---local addremove_opts = function ( addremove, file, variable, option )
---	if (string.lower(addremove) == "remove" ) then
-		cmdtxt = "/bin/sed -i 's/skin=.*/skin=" .. skin .. "/' /etc/acf/acf.conf"
---			/bin/sed 's/skin=.*/skin=plupp/' /etc/acf/acf.conf
-		local cmd, error = io.popen ( cmdtxt )
-		local cmdoutput = cmd:read("*a")
-		cmd:close()
-		-- Cleanup the variable by removing unneccesary blanks
---		cmdtxt = "/bin/sed -i 's/\\\"\\ /\\\"/g' " .. file
---		cmdtxt = cmdtxt .. ";/bin/sed -i 's/\\ \\\"/\\\"/g' " .. file
---		local cmd, error = io.popen ( cmdtxt )
---		cmd:close()
---	elseif (string.lower(addremove) == "add" ) then
---		cmdtxt = "/bin/sed -i 's/\\(" .. variable .. ".*\\)\\\"/\\1" .. option .. " \\\"/' " .. file
---		local cmd, error = io.popen ( cmdtxt )
---		local cmdoutput = cmd:read("*a")
---		cmd:close()
---	end
+	cmdtxt = "/bin/sed -i 's/skin=.*/skin=" .. skin .. "/' /etc/acf/acf.conf"
+	local cmd, error = io.popen ( cmdtxt )
+	local cmdoutput = cmd:read("*a")
+	cmd:close()
 	return cmdtxt
 end
 
@@ -51,12 +37,13 @@ get = function (self)
 end
 
 update = function (self,skin)
+	-- Make sure no one can inject code into the model.
 	local availableskins = list_skins()
---	for k,v in pars(availableskins.skinarray.name) do
---		if ( availableskins[k].name == skin) then
+	for i = 1 , table.maxn(availableskins) do
+		if ( availableskins[i].name == skin) and (skin ~= nil) then
 			return set_skins(skin)
---		end
---	end
+		end
+	end
 end