From 336ce9bbd7c620226d0ef01ba58c02be12f7b90e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@higgsboson.tk>
Date: Wed, 12 Nov 2014 23:43:24 +0100
Subject: shell escape variables before passing them to the shell

Signed-off-by: Adrian C. (anrxc) <anrxc@sysphere.org>
---
 widgets/fs.lua      | 2 +-
 widgets/hddtemp.lua | 4 +++-
 widgets/mdir.lua    | 6 ++++--
 widgets/volume.lua  | 3 ++-
 widgets/weather.lua | 4 ++--
 widgets/wifi.lua    | 2 +-
 6 files changed, 13 insertions(+), 8 deletions(-)

(limited to 'widgets')

diff --git a/widgets/fs.lua b/widgets/fs.lua
index 7832b1f..4b889dc 100644
--- a/widgets/fs.lua
+++ b/widgets/fs.lua
@@ -27,7 +27,7 @@ local function worker(format, warg)
     if warg then warg = "" else warg = "-l" end
 
     local fs_info = {} -- Get data from df
-    local f = io.popen("LC_ALL=C df -kP " .. warg)
+    local f = io.popen("LC_ALL=C df -kP " .. helpers.shellquote(warg))
 
     for line in f:lines() do -- Match: (size) (used)(avail)(use%) (mount)
         local s     = string.match(line, "^.-[%s]([%d]+)")
diff --git a/widgets/hddtemp.lua b/widgets/hddtemp.lua
index 85ee767..5c2b1a6 100644
--- a/widgets/hddtemp.lua
+++ b/widgets/hddtemp.lua
@@ -8,6 +8,7 @@ local tonumber = tonumber
 local io = { popen = io.popen }
 local setmetatable = setmetatable
 local string = { gmatch = string.gmatch }
+local helpers = require("vicious.helpers")
 -- }}}
 
 
@@ -22,7 +23,8 @@ local function worker(format, warg)
     if warg == nil then warg = 7634 end
 
     local hdd_temp = {} -- Get info from the hddtemp daemon
-    local f = io.popen("echo | curl --connect-timeout 1 -fsm 3 telnet://127.0.0.1:"..warg)
+    local quoted = helpers.shellquote(warg)
+    local f = io.popen("echo | curl --connect-timeout 1 -fsm 3 telnet://127.0.0.1:"..quoted)
 
     for line in f:lines() do
         for d, t in string.gmatch(line, "|([%/%a%d]+)|.-|([%d]+)|[CF]+|") do
diff --git a/widgets/mdir.lua b/widgets/mdir.lua
index d7c6f3d..bea9088 100644
--- a/widgets/mdir.lua
+++ b/widgets/mdir.lua
@@ -7,6 +7,7 @@
 -- {{{ Grab environment
 local io = { popen = io.popen }
 local setmetatable = setmetatable
+local helpers = require("vicious.helpers")
 -- }}}
 
 
@@ -23,13 +24,14 @@ local function worker(format, warg)
     local count = { new = 0, cur = 0 }
 
     for i=1, #warg do
+        quoted_path = helpers.shellquote(warg[i])
         -- Recursively find new messages
-        local f = io.popen("find '"..warg[i].."' -type f -wholename '*/new/*'")
+        local f = io.popen("find "..quoted_path.." -type f -wholename '*/new/*'")
         for line in f:lines() do count.new = count.new + 1 end
         f:close()
 
         -- Recursively find "old" messages lacking the Seen flag
-        local f = io.popen("find '"..warg[i].."' -type f -regex '.*/cur/.*2,[^S]*$'")
+        local f = io.popen("find "..quoted_path.." -type f -regex '.*/cur/.*2,[^S]*$'")
         for line in f:lines() do count.cur = count.cur + 1 end
         f:close()
     end
diff --git a/widgets/volume.lua b/widgets/volume.lua
index 2a7d377..57970a3 100644
--- a/widgets/volume.lua
+++ b/widgets/volume.lua
@@ -8,6 +8,7 @@ local tonumber = tonumber
 local io = { popen = io.popen }
 local setmetatable = setmetatable
 local string = { match = string.match }
+local helpers = require("vicious.helpers")
 -- }}}
 
 
@@ -26,7 +27,7 @@ local function worker(format, warg)
     }
 
     -- Get mixer control contents
-    local f = io.popen("amixer -M get " .. warg)
+    local f = io.popen("amixer -M get " .. helpers.shellquote(warg))
     local mixer = f:read("*all")
     f:close()
 
diff --git a/widgets/weather.lua b/widgets/weather.lua
index 029df7e..632d5b9 100644
--- a/widgets/weather.lua
+++ b/widgets/weather.lua
@@ -40,8 +40,8 @@ local function worker(format, warg)
 
     -- Get weather forceast by the station ICAO code, from:
     -- * US National Oceanic and Atmospheric Administration
-    local noaa = "http://weather.noaa.gov/pub/data/observations/metar/decoded/"
-    local f = io.popen("curl --connect-timeout 1 -fsm 3 "..noaa..warg..".TXT")
+    local url = "http://weather.noaa.gov/pub/data/observations/metar/decoded/"..warg
+    local f = io.popen("curl --connect-timeout 1 -fsm 3 "..helpers.shellquote(url)..".TXT")
     local ws = f:read("*all")
     f:close()
 
diff --git a/widgets/wifi.lua b/widgets/wifi.lua
index 15666e5..973f109 100644
--- a/widgets/wifi.lua
+++ b/widgets/wifi.lua
@@ -58,7 +58,7 @@ local function worker(format, warg)
     end
 
     -- Get data from iwconfig where available
-    local f = io.popen(iwconfig .." ".. warg .. " 2>&1")
+    local f = io.popen(iwconfig .." ".. helpers.shellquote(warg) .. " 2>&1")
     local iw = f:read("*all")
     f:close()
 
-- 
cgit v1.2.3