From 5bbd0e6d66189df08ad74abb16f82b26de10546e Mon Sep 17 00:00:00 2001
From: Dan <dan@acceleratenetworks.com>
Date: Fri, 26 Oct 2018 23:15:06 -0700
Subject: [PATCH] Add some string escaping to handle transcription providers

---
 .../resources/functions/record_message.lua     | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/resources/install/scripts/app/voicemail/resources/functions/record_message.lua b/resources/install/scripts/app/voicemail/resources/functions/record_message.lua
index f4da0b1b05..9b9ca6507d 100644
--- a/resources/install/scripts/app/voicemail/resources/functions/record_message.lua
+++ b/resources/install/scripts/app/voicemail/resources/functions/record_message.lua
@@ -38,6 +38,22 @@
 		end)
 	end
 
+--define escape function (prevents lua injection attacks)
+	local function esc(x)
+   return (x:gsub('%%', '%%%%')
+            :gsub('^%^', '%%^')
+            :gsub('%$$', '%%$')
+            :gsub('%(', '%%(')
+            :gsub('%)', '%%)')
+            :gsub('%.', '%%.')
+            :gsub('%[', '%%[')
+            :gsub('%]', '%%]')
+            :gsub('%*', '%%*')
+            :gsub('%+', '%%+')
+            :gsub('%-', '%%-')
+            :gsub('%?', '%%?'))
+	end
+
 	local function transcribe(file_path,settings,start_epoch)
 		--transcription variables
 		if (os.time() - start_epoch > 2) then
@@ -106,7 +122,7 @@
 				if (transcription_server ~= '') then
 					transcribe_cmd = "curl -L " .. transcription_server .. " -F file=@"..file_path
 					local handle = io.popen(transcribe_cmd);
-					local transcribe_result = handle:read("*a");
+					local transcribe_result = esc(handle:read("*a"));
 					handle:close();
 					if (debug["info"]) then
 						freeswitch.consoleLog("notice", "[voicemail] CMD: " .. transcribe_cmd .. "\n");