From 89b55a7ae09796d360c64fb930189d0af74ce813 Mon Sep 17 00:00:00 2001
From: Paul Donald <newtwen+github@gmail.com>
Date: Wed, 5 Nov 2025 22:10:48 +0100
Subject: [PATCH] luci-base: shell quote package name variable to prevent
 command injection

Do not export the function for use elsewhere - it shall only be used within
the luci script (to determine netifd version).

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
---
 modules/luci-base/root/usr/share/rpcd/ucode/luci | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/modules/luci-base/root/usr/share/rpcd/ucode/luci b/modules/luci-base/root/usr/share/rpcd/ucode/luci
index 624523af38..c0ebc8cb27 100644
--- a/modules/luci-base/root/usr/share/rpcd/ucode/luci
+++ b/modules/luci-base/root/usr/share/rpcd/ucode/luci
@@ -22,7 +22,7 @@ function callPackageVersionCheck(pkg) {
 
 	if ( access('/bin/opkg') ) {
 		// <= v24.10
-		let fd = popen('opkg list-installed ' + pkg + ' 2>/dev/null');
+		let fd = popen('opkg list-installed ' + shellquote(pkg) + ' 2>/dev/null');
 		if (fd) {
 			const re = regexp('^' + pkg + ' - (.+)$', 's');
 			const m = match(fd.read('all'), re);
@@ -33,7 +33,7 @@ function callPackageVersionCheck(pkg) {
 	}
 	else if ( access('/usr/bin/apk') ) {
 		// > v24.10
-		let fd = popen('apk list -I ' + pkg + ' 2>/dev/null');
+		let fd = popen('apk list -I ' + shellquote(pkg) + ' 2>/dev/null');
 		if (fd) {
 			const re = regexp('^' + pkg + '-(.+)$', 's');
 			const m = match(fd.read('all'), re);
@@ -652,18 +652,6 @@ const methods = {
 
 			return { result: ports };
 		}
-	},
-
-	packageVersionCheck: {
-		args: { name: 'netifd' },
-		call: function(request) {
-			let version = "";
-			const pkg = request?.args?.name;
-
-			version = callPackageVersionCheck(pkg);
-
-			return { result: version };
-		}
 	}
 };
 
-- 
2.30.2