bbfdm: fix shell injection in /etc/firewall.service

Avoid use of eval (cherry picked from commit 53167364863ef4afc249045fe5dcb510e3ec164d)
2025-12-10 07:44:50 +01:00 · 2024-03-12 17:52:02 +01:00 · 2024-03-12 17:52:02 +01:00 · 32848d7f69
commit 32848d7f69
parent fd842a5638
1 changed files with 5 additions and 5 deletions
--- a/bbfdm/files/etc/firewall.service
+++ b/bbfdm/files/etc/firewall.service
@ -7,7 +7,7 @@ log() {
 }

 exec_cmd() {
-	if ! eval "$*"; then
+	if ! "$@"; then
 		log "Failed to run [$*]"
 		echo "-1"
 		return 0
@ -73,7 +73,7 @@ add_iptable_rule() {
 		fi

 		if [ -z "${src_prefix}" ]; then
-			res=$(exec_cmd "iptables ${cmd} -m comment --comment IPtables_service_rule -j ${action}")
+			res=$(exec_cmd iptables -w ${cmd} -m comment --comment IPtables_service_rule -j "${action}")
 		else
 			#Add ipv4 sources if any
 			src_list=""
@ -86,7 +86,7 @@ add_iptable_rule() {

 			if [ -n "$src_list" ]; then
 				src_list=$(echo "${src_list}" | sed "s/,$//")
-				res=$(exec_cmd "iptables -s $src_list ${cmd} -m comment --comment IPtables_service_rule -j ${action}")
+				res=$(exec_cmd iptables -w -s "$src_list" ${cmd} -m comment --comment IPtables_service_rule -j "${action}")
 			fi
 		fi
 	fi
@ -97,7 +97,7 @@ add_iptable_rule() {
 		fi

 		if [ -z "${src_prefix}" ]; then
-			res=$(exec_cmd "ip6tables ${cmd} -m comment --comment IP6tables_service_rule -j ${action}")
+			res=$(exec_cmd ip6tables -w ${cmd} -m comment --comment IP6tables_service_rule -j "${action}")
 		else
 			#Add ipv6 sources if any
 			src_list=""
@ -110,7 +110,7 @@ add_iptable_rule() {

 			if [ -n "$src_list" ]; then
 				src_list=$(echo "${src_list}" | sed "s/,$//")
-				res=$(exec_cmd "ip6tables -s $src_list ${cmd} -m comment --comment IP6tables_service_rule -j ${action}")
+				res=$(exec_cmd ip6tables -w -s "$src_list" ${cmd} -m comment --comment IP6tables_service_rule -j "${action}")
 			fi
 		fi
 	fi