lualoader: Use cli_execute_unparsed instead of loader.interpret

loader.interpret should not be used for executing loader commands from an
untrusted source (e.g. environment vars) as it will allow execution of
arbitrary Lua. Replace it with a call to the recently introduced
cli_execute_unparsed, which parses it out as a loader command and then
dispatches it as a loader command. This effectively filters out arbitrary
Lua.
This commit is contained in:
kevans 2018-03-07 18:31:01 +00:00
parent 5a97a280a3
commit 16be7de42b

View File

@ -450,7 +450,7 @@ function menu.autoboot()
until time <= 0
local cmd = loader.getenv("menu_timeout_command") or "boot"
loader.interpret(cmd)
cli_execute_unparsed(cmd)
end
return menu