[pve-devel] [PATCH pve-storage] upload API: safer filename handling
Wolfgang Bumiller
w.bumiller at proxmox.com
Tue Aug 18 13:24:47 CEST 2015
Replace possibly-dangerous characters in uploaded filenames
with underscores, this includes spaces, colons, commas,
equal signs and any byte >= 128. Previously only spaces were
turned into underscores.
Also shell_quote the destination for scp, and to make life
easier - since the destination directory is created with
mkdir - drop the filename part on the scp command.
Use '--' for some shell commands for safety.
Use brackets around the scp destination for ipv6 support.
---
PVE/API2/Storage/Status.pm | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/PVE/API2/Storage/Status.pm b/PVE/API2/Storage/Status.pm
index 8f97c18..dda5736 100644
--- a/PVE/API2/Storage/Status.pm
+++ b/PVE/API2/Storage/Status.pm
@@ -341,7 +341,7 @@ __PACKAGE__->register_method ({
chomp $filename;
$filename =~ s/^.*[\/\\]//;
- $filename =~ s/\s/_/g;
+ $filename =~ s/[;:,=\s\x80-\xff]/_/g;
my $path;
@@ -373,7 +373,7 @@ __PACKAGE__->register_method ({
my @ssh_options = ('-o', 'BatchMode=yes');
- my @remcmd = ('/usr/bin/ssh', @ssh_options, $remip);
+ my @remcmd = ('/usr/bin/ssh', @ssh_options, $remip, '--');
eval {
# activate remote storage
@@ -382,14 +382,15 @@ __PACKAGE__->register_method ({
};
die "can't activate storage '$param->{storage}' on node '$node'\n" if $@;
- PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', $dirname],
+ my $quoted_dir = PVE::Tools::shell_quote($dirname);
+ PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', '--', PVE::Tools::shell_quote($dirname)],
errmsg => "mkdir failed");
- $cmd = ['/usr/bin/scp', @ssh_options, $tmpfilename, "$remip:$dest"];
+ $cmd = ['/usr/bin/scp', @ssh_options, '--', $tmpfilename, "[$remip]:" . PVE::Tools::shell_quote($dest)];
} else {
PVE::Storage::activate_storage($cfg, $param->{storage});
File::Path::make_path($dirname);
- $cmd = ['cp', $tmpfilename, $dest];
+ $cmd = ['cp', '--', $tmpfilename, $dest];
}
my $worker = sub {
--
2.1.4
More information about the pve-devel
mailing list