From 80cf65c95f328437c5a1007de14f8df043dd01d4 Mon Sep 17 00:00:00 2001
From: divinity76 <hans@loltek.net>
Date: Fri, 27 Sep 2024 09:49:55 +0200
Subject: [PATCH] Fix quoting

Previous version was vulnerable to command injection, for example if I set my password to

foo'$(id)'bar
the actual command would become
sudo bash hst-install.sh --password 'foo'$(id)'bar'

and the actual password would become:
foouid=1002(hans) gid=1002(hans) groups=1002(hans),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),107(netdev)bar
---
 src/App.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/App.vue b/src/App.vue
index 78a3d6d..c9e8f9f 100644
--- a/src/App.vue
+++ b/src/App.vue
@@ -101,7 +101,7 @@ export default {
 
         if (item.textField && item.selected) {
           if(item.text.length >= 2){
-            installstr.push(item.param + " '" + item.text + "'")
+            installstr.push(item.param + " '" + item.text.toString().replace(/\'/g, "'\\''") + "'")
           }
         } else if(!item.textField) {
           if (item.param.includes("force")) {