From c8c7fe7fc79cf010eaeeddfe782f00200557f7f7 Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Fri, 18 Aug 2017 02:34:46 +0200
Subject: [PATCH] [fix] prevent shell injections

---
 helpers.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helpers.lua b/helpers.lua
index ba36cfb..4ced5f4 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -842,7 +842,7 @@ end
 function hash_password(password)
     -- TODO is the password checked by regex? we don't want to
     -- allow shell injection
-    local mkpasswd  = io.popen("mkpasswd --method=sha-512 '" ..password.."'")
+    local mkpasswd  = io.popen("mkpasswd --method=sha-512 '" ..password:gsub("'", "'\\''").."'")
     local hashed_password = "{CRYPT}"..mkpasswd:read()
     mkpasswd:close()
     return hashed_password