From 336ce9bbd7c620226d0ef01ba58c02be12f7b90e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@higgsboson.tk>
Date: Wed, 12 Nov 2014 23:43:24 +0100
Subject: shell escape variables before passing them to the shell

Signed-off-by: Adrian C. (anrxc) <anrxc@sysphere.org>
---
 widgets/hddtemp.lua | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'widgets/hddtemp.lua')

diff --git a/widgets/hddtemp.lua b/widgets/hddtemp.lua
index 85ee767..5c2b1a6 100644
--- a/widgets/hddtemp.lua
+++ b/widgets/hddtemp.lua
@@ -8,6 +8,7 @@ local tonumber = tonumber
 local io = { popen = io.popen }
 local setmetatable = setmetatable
 local string = { gmatch = string.gmatch }
+local helpers = require("vicious.helpers")
 -- }}}
 
 
@@ -22,7 +23,8 @@ local function worker(format, warg)
     if warg == nil then warg = 7634 end
 
     local hdd_temp = {} -- Get info from the hddtemp daemon
-    local f = io.popen("echo | curl --connect-timeout 1 -fsm 3 telnet://127.0.0.1:"..warg)
+    local quoted = helpers.shellquote(warg)
+    local f = io.popen("echo | curl --connect-timeout 1 -fsm 3 telnet://127.0.0.1:"..quoted)
 
     for line in f:lines() do
         for d, t in string.gmatch(line, "|([%/%a%d]+)|.-|([%d]+)|[CF]+|") do
-- 
cgit v1.2.3