Author: kevans Date: Wed Mar 7 18:31:01 2018 New Revision: 330618 URL: https://svnweb.freebsd.org/changeset/base/330618
Log: lualoader: Use cli_execute_unparsed instead of loader.interpret loader.interpret should not be used for executing loader commands from an untrusted source (e.g. environment vars) as it will allow execution of arbitrary Lua. Replace it with a call to the recently introduced cli_execute_unparsed, which parses it out as a loader command and then dispatches it as a loader command. This effectively filters out arbitrary Lua. Modified: head/stand/lua/menu.lua Modified: head/stand/lua/menu.lua ============================================================================== --- head/stand/lua/menu.lua Wed Mar 7 18:28:41 2018 (r330617) +++ head/stand/lua/menu.lua Wed Mar 7 18:31:01 2018 (r330618) @@ -450,7 +450,7 @@ function menu.autoboot() until time <= 0 local cmd = loader.getenv("menu_timeout_command") or "boot" - loader.interpret(cmd) + cli_execute_unparsed(cmd) end return menu _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"