From 336ce9bbd7c620226d0ef01ba58c02be12f7b90e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 12 Nov 2014 23:43:24 +0100 Subject: shell escape variables before passing them to the shell Signed-off-by: Adrian C. (anrxc) --- README | 8 +++++--- helpers.lua | 9 +++++++++ widgets/fs.lua | 2 +- widgets/hddtemp.lua | 4 +++- widgets/mdir.lua | 6 ++++-- widgets/volume.lua | 3 ++- widgets/weather.lua | 4 ++-- widgets/wifi.lua | 2 +- 8 files changed, 27 insertions(+), 11 deletions(-) diff --git a/README b/README index 4f1ff50..3a4f2b8 100644 --- a/README +++ b/README @@ -224,8 +224,10 @@ vicious.widgets.wifi vicious.widgets.mbox - provides the subject of last e-mail in a mbox file - takes the full path to the mbox as an argument, or a table with - 1st field as path, 2nd as maximum lenght and 3rd (optional) as - widget name - if 3rd field is present scrolling will be used + 1st field as path, 2nd as maximum length and 3rd (optional) as + widget name - if 3rd field is present scrolling will be used (note: the + path will be escaped so special variables like ~ will not work, use + os.getenv("HOME").."mail" instead to access environment variables) - returns 1st value as the subject of the last e-mail vicious.widgets.mboxc @@ -244,7 +246,7 @@ vicious.widgets.mdir vicious.widgets.gmail - provides count of new and subject of last e-mail on Gmail - takes an (optional) argument, if it's a number subject will be - truncated, if a table, with 1st field as maximum lenght and 2nd + truncated, if a table, with 1st field as maximum length and 2nd the widget name (i.e. "gmailwidget"), scrolling will be used - keeps login information in the ~/.netrc file, example: machine mail.google.com login user password pass diff --git a/helpers.lua b/helpers.lua index 4c15690..7c8dd0c 100644 --- a/helpers.lua +++ b/helpers.lua @@ -97,6 +97,15 @@ function helpers.escape(text) end -- }}} +-- {{{ Escape a string for save usage on the command line +function helpers.shellquote(s) + if s == nil then return "" end + -- use single quotes, and put single quotes into double quotes + -- the string $'b is then quoted as '$'"'"'b'"'"' + return "'" .. s:gsub("'", "'\"'\"'") .. "'" +end +-- }}} + -- {{{ Capitalize a string function helpers.capitalize(text) return text and text:gsub("([%w])([%w]*)", function(c, s) diff --git a/widgets/fs.lua b/widgets/fs.lua index 7832b1f..4b889dc 100644 --- a/widgets/fs.lua +++ b/widgets/fs.lua @@ -27,7 +27,7 @@ local function worker(format, warg) if warg then warg = "" else warg = "-l" end local fs_info = {} -- Get data from df - local f = io.popen("LC_ALL=C df -kP " .. warg) + local f = io.popen("LC_ALL=C df -kP " .. helpers.shellquote(warg)) for line in f:lines() do -- Match: (size) (used)(avail)(use%) (mount) local s = string.match(line, "^.-[%s]([%d]+)") diff --git a/widgets/hddtemp.lua b/widgets/hddtemp.lua index 85ee767..5c2b1a6 100644 --- a/widgets/hddtemp.lua +++ b/widgets/hddtemp.lua @@ -8,6 +8,7 @@ local tonumber = tonumber local io = { popen = io.popen } local setmetatable = setmetatable local string = { gmatch = string.gmatch } +local helpers = require("vicious.helpers") -- }}} @@ -22,7 +23,8 @@ local function worker(format, warg) if warg == nil then warg = 7634 end local hdd_temp = {} -- Get info from the hddtemp daemon - local f = io.popen("echo | curl --connect-timeout 1 -fsm 3 telnet://127.0.0.1:"..warg) + local quoted = helpers.shellquote(warg) + local f = io.popen("echo | curl --connect-timeout 1 -fsm 3 telnet://127.0.0.1:"..quoted) for line in f:lines() do for d, t in string.gmatch(line, "|([%/%a%d]+)|.-|([%d]+)|[CF]+|") do diff --git a/widgets/mdir.lua b/widgets/mdir.lua index d7c6f3d..bea9088 100644 --- a/widgets/mdir.lua +++ b/widgets/mdir.lua @@ -7,6 +7,7 @@ -- {{{ Grab environment local io = { popen = io.popen } local setmetatable = setmetatable +local helpers = require("vicious.helpers") -- }}} @@ -23,13 +24,14 @@ local function worker(format, warg) local count = { new = 0, cur = 0 } for i=1, #warg do + quoted_path = helpers.shellquote(warg[i]) -- Recursively find new messages - local f = io.popen("find '"..warg[i].."' -type f -wholename '*/new/*'") + local f = io.popen("find "..quoted_path.." -type f -wholename '*/new/*'") for line in f:lines() do count.new = count.new + 1 end f:close() -- Recursively find "old" messages lacking the Seen flag - local f = io.popen("find '"..warg[i].."' -type f -regex '.*/cur/.*2,[^S]*$'") + local f = io.popen("find "..quoted_path.." -type f -regex '.*/cur/.*2,[^S]*$'") for line in f:lines() do count.cur = count.cur + 1 end f:close() end diff --git a/widgets/volume.lua b/widgets/volume.lua index 2a7d377..57970a3 100644 --- a/widgets/volume.lua +++ b/widgets/volume.lua @@ -8,6 +8,7 @@ local tonumber = tonumber local io = { popen = io.popen } local setmetatable = setmetatable local string = { match = string.match } +local helpers = require("vicious.helpers") -- }}} @@ -26,7 +27,7 @@ local function worker(format, warg) } -- Get mixer control contents - local f = io.popen("amixer -M get " .. warg) + local f = io.popen("amixer -M get " .. helpers.shellquote(warg)) local mixer = f:read("*all") f:close() diff --git a/widgets/weather.lua b/widgets/weather.lua index 029df7e..632d5b9 100644 --- a/widgets/weather.lua +++ b/widgets/weather.lua @@ -40,8 +40,8 @@ local function worker(format, warg) -- Get weather forceast by the station ICAO code, from: -- * US National Oceanic and Atmospheric Administration - local noaa = "http://weather.noaa.gov/pub/data/observations/metar/decoded/" - local f = io.popen("curl --connect-timeout 1 -fsm 3 "..noaa..warg..".TXT") + local url = "http://weather.noaa.gov/pub/data/observations/metar/decoded/"..warg + local f = io.popen("curl --connect-timeout 1 -fsm 3 "..helpers.shellquote(url)..".TXT") local ws = f:read("*all") f:close() diff --git a/widgets/wifi.lua b/widgets/wifi.lua index 15666e5..973f109 100644 --- a/widgets/wifi.lua +++ b/widgets/wifi.lua @@ -58,7 +58,7 @@ local function worker(format, warg) end -- Get data from iwconfig where available - local f = io.popen(iwconfig .." ".. warg .. " 2>&1") + local f = io.popen(iwconfig .." ".. helpers.shellquote(warg) .. " 2>&1") local iw = f:read("*all") f:close() -- cgit v1.2.3