lualoader: Use cli_execute_unparsed instead of loader.interpret

loader.interpret should not be used for executing loader commands from an untrusted source (e.g. environment vars) as it will allow execution of arbitrary Lua. Replace it with a call to the recently introduced cli_execute_unparsed, which parses it out as a loader command and then dispatches it as a loader command. This effectively filters out arbitrary Lua.
2018-03-07 18:31:01 +00:00 · 2018-03-07 18:31:01 +00:00 · e9c3ceb159
commit e9c3ceb159
parent ca3b8c9fc4
1 changed files with 1 additions and 1 deletions
--- a/stand/lua/menu.lua
+++ b/stand/lua/menu.lua
@ -450,7 +450,7 @@ function menu.autoboot()
 	until time <= 0

 	local cmd = loader.getenv("menu_timeout_command") or "boot"
-	loader.interpret(cmd)
+	cli_execute_unparsed(cmd)
 end

 return menu