luci-proto-wireguard: fixed a vulnerability in the checkPeerHost method

shellquote method is introduced so an injected code cannot be executed by the popen command.

Signed-off-by: Tom Haley <[email protected]>
(cherry picked from commit 101ea169c6af90c0aeaff6655b906b6d40155924)

diff --git a/protocols/luci-proto-wireguard/root/usr/share/rpcd/ucode/luci.wireguard b/protocols/luci-proto-wireguard/root/usr/share/rpcd/ucode/luci.wireguard
index 5ffcfd85a274def33b10ed5ee0288cdd4d1db5cb..4d2a5912b7b518f75c0c2abff9b4a8380fd3013e 100644 (file)
--- a/protocols/luci-proto-wireguard/root/usr/share/rpcd/ucode/luci.wireguard
+++ b/protocols/luci-proto-wireguard/root/usr/share/rpcd/ucode/luci.wireguard
@@ -16,7 +16,7 @@ function command(cmd) {
 }
 
 function checkPeerHost(configHost, configPort, wgHost) {
-       const ips = popen(`resolveip ${configHost} 2>/dev/null`);
+       const ips = popen(`resolveip ${shellquote(configHost)} 2>/dev/null`);
        const hostIp = replace(wgHost, /\[|\]/g, "");
        if (ips) {
                for (let line = ips.read('line'); length(line); line = ips.read('line')) {