Date: Wed, 7 Mar 2018 18:31:01 +0000 (UTC) From: Kyle Evans <kevans@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r330618 - head/stand/lua Message-ID: <201803071831.w27IV1L2066715@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kevans Date: Wed Mar 7 18:31:01 2018 New Revision: 330618 URL: https://svnweb.freebsd.org/changeset/base/330618 Log: lualoader: Use cli_execute_unparsed instead of loader.interpret loader.interpret should not be used for executing loader commands from an untrusted source (e.g. environment vars) as it will allow execution of arbitrary Lua. Replace it with a call to the recently introduced cli_execute_unparsed, which parses it out as a loader command and then dispatches it as a loader command. This effectively filters out arbitrary Lua. Modified: head/stand/lua/menu.lua Modified: head/stand/lua/menu.lua ============================================================================== --- head/stand/lua/menu.lua Wed Mar 7 18:28:41 2018 (r330617) +++ head/stand/lua/menu.lua Wed Mar 7 18:31:01 2018 (r330618) @@ -450,7 +450,7 @@ function menu.autoboot() until time <= 0 local cmd = loader.getenv("menu_timeout_command") or "boot" - loader.interpret(cmd) + cli_execute_unparsed(cmd) end return menu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803071831.w27IV1L2066715>