[pve-devel] [PATCH pve-storage] upload API: safer filename handling

Wolfgang Bumiller w.bumiller at proxmox.com
Tue Aug 18 13:24:47 CEST 2015


Replace possibly-dangerous characters in uploaded filenames
with underscores, this includes spaces, colons, commas,
equal signs and any byte >= 128. Previously only spaces were
turned into underscores.

Also shell_quote the destination for scp, and to make life
easier - since the destination directory is created with
mkdir - drop the filename part on the scp command.

Use '--' for some shell commands for safety.

Use brackets around the scp destination for ipv6 support.
---
 PVE/API2/Storage/Status.pm | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/PVE/API2/Storage/Status.pm b/PVE/API2/Storage/Status.pm
index 8f97c18..dda5736 100644
--- a/PVE/API2/Storage/Status.pm
+++ b/PVE/API2/Storage/Status.pm
@@ -341,7 +341,7 @@ __PACKAGE__->register_method ({
 
 	chomp $filename;
 	$filename =~ s/^.*[\/\\]//;
-	$filename =~ s/\s/_/g;
+	$filename =~ s/[;:,=\s\x80-\xff]/_/g;
 
 	my $path;
 
@@ -373,7 +373,7 @@ __PACKAGE__->register_method ({
 
 	    my @ssh_options = ('-o', 'BatchMode=yes');
 
-	    my @remcmd = ('/usr/bin/ssh', @ssh_options, $remip);
+	    my @remcmd = ('/usr/bin/ssh', @ssh_options, $remip, '--');
 
 	    eval { 
 		# activate remote storage
@@ -382,14 +382,15 @@ __PACKAGE__->register_method ({
 	    };
 	    die "can't activate storage '$param->{storage}' on node '$node'\n" if $@;
 
- 	    PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', $dirname],
+	    my $quoted_dir = PVE::Tools::shell_quote($dirname);
+ 	    PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', '--', PVE::Tools::shell_quote($dirname)],
 				    errmsg => "mkdir failed");
  
-	    $cmd = ['/usr/bin/scp', @ssh_options, $tmpfilename, "$remip:$dest"];
+	    $cmd = ['/usr/bin/scp', @ssh_options, '--', $tmpfilename, "[$remip]:" . PVE::Tools::shell_quote($dest)];
 	} else {
 	    PVE::Storage::activate_storage($cfg, $param->{storage});
 	    File::Path::make_path($dirname);
-	    $cmd = ['cp', $tmpfilename, $dest];
+	    $cmd = ['cp', '--', $tmpfilename, $dest];
 	}
 
 	my $worker = sub  {
-- 
2.1.4





More information about the pve-devel mailing list