fix command injection (thanks @iwallplace)

Author: stangri

root/usr/libexec/rpcd/luci.https-dns-proxy

@@ -112,27 +112,17 @@ get_providers() {
 }
 
 set_init_action() {
-	local name="$1" action="$2" cmd
-	
-	# SECURITY FIX: Validate name parameter to prevent command injection
-	# CVE-202X-XXXXX: Privilege Escalation via unsanitized 'name' parameter
-	# Fix by: Ahmet Mersin (ahmetmersin.com)
-	# Only allow the expected package name
-	if [ "$name" != "$packageName" ]; then
-		logger "SECURITY: Rejected invalid name parameter: $name"
-		print_json_bool "result" '0'
-		return 1
-	fi
-	
-	case $action in
+	local action="$2" cmd
+	[ "$(basename "$1")" = "$packageName" ] || { print_json_bool 'result' '0'; return 1; }
+		case $action in
 		enable|disable|start|stop|restart)
-			cmd="/etc/init.d/${name} ${action}"
+			cmd="/etc/init.d/${packageName} ${action}"
 		;;
 	esac
 	if [ -n "$cmd" ] && eval "$cmd" >/dev/null 2>&1; then
-		print_json_bool "result" '1'
+		print_json_bool 'result' '1'
 	else
-		print_json_bool "result" '0'
+		print_json_bool 'result' '0'
 	fi
 }