luci-base: shell quote package name variable to prevent command injection

Do not export the function for use elsewhere - it shall only be used within
the luci script (to determine netifd version).

Signed-off-by: Paul Donald <[email protected]>

diff --git a/modules/luci-base/root/usr/share/rpcd/ucode/luci b/modules/luci-base/root/usr/share/rpcd/ucode/luci
index 624523af386bca791210f8fec01a6d24ebc3a098..c0ebc8cb2762ca827cd0037b3fd55bd098afb314 100644 (file)
--- a/modules/luci-base/root/usr/share/rpcd/ucode/luci
+++ b/modules/luci-base/root/usr/share/rpcd/ucode/luci
@@ -22,7 +22,7 @@ function callPackageVersionCheck(pkg) {
 
        if ( access('/bin/opkg') ) {
                // <= v24.10
-               let fd = popen('opkg list-installed ' + pkg + ' 2>/dev/null');
+               let fd = popen('opkg list-installed ' + shellquote(pkg) + ' 2>/dev/null');
                if (fd) {
                        const re = regexp('^' + pkg + ' - (.+)$', 's');
                        const m = match(fd.read('all'), re);
@@ -33,7 +33,7 @@ function callPackageVersionCheck(pkg) {
        }
        else if ( access('/usr/bin/apk') ) {
                // > v24.10
-               let fd = popen('apk list -I ' + pkg + ' 2>/dev/null');
+               let fd = popen('apk list -I ' + shellquote(pkg) + ' 2>/dev/null');
                if (fd) {
                        const re = regexp('^' + pkg + '-(.+)$', 's');
                        const m = match(fd.read('all'), re);
@@ -652,18 +652,6 @@ const methods = {
 
                        return { result: ports };
                }
-       },
-
-       packageVersionCheck: {
-               args: { name: 'netifd' },
-               call: function(request) {
-                       let version = "";
-                       const pkg = request?.args?.name;
-
-                       version = callPackageVersionCheck(pkg);
-
-                       return { result: version };
-               }
        }
 };