From 4208db6d5fb7be1144f68d0470fe495d7015c814 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 30 Nov 2024 11:34:56 +0100
Subject: [PATCH] firmware: make it a bit safer still

---
 src/opnsense/scripts/firmware/config.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/opnsense/scripts/firmware/config.sh b/src/opnsense/scripts/firmware/config.sh
index f8ea07e33..dbbb9c9a4 100755
--- a/src/opnsense/scripts/firmware/config.sh
+++ b/src/opnsense/scripts/firmware/config.sh
@@ -112,6 +112,9 @@ output_cmd()
 	shift $((OPTIND - 1))
 
 	for ARG in "${@}"; do
+		# transform first to trap replacements
+		ARG="$(echo "${ARG}")"
+
 		# single quote will not execute for safety
 		if [ -z "${ARG##*"'"*}" ]; then
 			output_text "firmware: safety violation in argument during ${REQUEST}"
@@ -119,7 +122,7 @@ output_cmd()
 		fi
 
 		# append safely to argument in single quotes
-		DO_CMD="${DO_CMD} '$(echo ${ARG})'"
+		DO_CMD="${DO_CMD} '${ARG}'"
 	done
 
 	# pipe needed for grabbing the command return value