[pve-devel] r5952 - in pve-common/trunk/data: . PVE
svn-commits at proxmox.com
svn-commits at proxmox.com
Tue May 10 09:07:59 CEST 2011
Author: dietmar
Date: 2011-05-10 09:07:59 +0200 (Tue, 10 May 2011)
New Revision: 5952
Modified:
pve-common/trunk/data/ChangeLog
pve-common/trunk/data/PVE/RESTHandler.pm
Log:
untaint parameters
Modified: pve-common/trunk/data/ChangeLog
===================================================================
--- pve-common/trunk/data/ChangeLog 2011-05-09 11:18:12 UTC (rev 5951)
+++ pve-common/trunk/data/ChangeLog 2011-05-10 07:07:59 UTC (rev 5952)
@@ -1,3 +1,7 @@
+2011-05-10 Proxmox Support Team <support at proxmox.com>
+
+ * PVE/RESTHandler.pm (handle): untaint parameters after validate
+
2011-03-23 Proxmox Support Team <support at proxmox.com>
* PVE/Tools.pm (debmirrors): return list of debian mirrors (per
Modified: pve-common/trunk/data/PVE/RESTHandler.pm
===================================================================
--- pve-common/trunk/data/PVE/RESTHandler.pm 2011-05-09 11:18:12 UTC (rev 5951)
+++ pve-common/trunk/data/PVE/RESTHandler.pm 2011-05-10 07:07:59 UTC (rev 5952)
@@ -203,6 +203,10 @@
if (my $schema = $info->{parameters}) {
# warn "validate ". Dumper($param}) . "\n" . Dumper($schema);
PVE::JSONSchema::validate($param, $schema);
+ # untaint data (already validated)
+ while (my ($key, $val) = each %$param) {
+ ($param->{$key}) = $val =~ /^(.*)$/s;
+ }
}
my $result = &$func($param);
More information about the pve-devel
mailing list