svn commit: r330618 - head/stand/lua
Kyle Evans
kevans at FreeBSD.org
Wed Mar 7 18:31:02 UTC 2018
Author: kevans
Date: Wed Mar 7 18:31:01 2018
New Revision: 330618
URL: https://svnweb.freebsd.org/changeset/base/330618
Log:
lualoader: Use cli_execute_unparsed instead of loader.interpret
loader.interpret should not be used for executing loader commands from an
untrusted source (e.g. environment vars) as it will allow execution of
arbitrary Lua. Replace it with a call to the recently introduced
cli_execute_unparsed, which parses it out as a loader command and then
dispatches it as a loader command. This effectively filters out arbitrary
Lua.
Modified:
head/stand/lua/menu.lua
Modified: head/stand/lua/menu.lua
==============================================================================
--- head/stand/lua/menu.lua Wed Mar 7 18:28:41 2018 (r330617)
+++ head/stand/lua/menu.lua Wed Mar 7 18:31:01 2018 (r330618)
@@ -450,7 +450,7 @@ function menu.autoboot()
until time <= 0
local cmd = loader.getenv("menu_timeout_command") or "boot"
- loader.interpret(cmd)
+ cli_execute_unparsed(cmd)
end
return menu
More information about the svn-src-all
mailing list