[pve-devel] [PATCH pve-storage] upload API: safer filename handling
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Aug 18 13:36:30 CEST 2015
> @@ -382,14 +382,15 @@ __PACKAGE__->register_method ({
> };
> die "can't activate storage '$param->{storage}' on node '$node'\n" if $@;
>
> - PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', $dirname],
> + my $quoted_dir = PVE::Tools::shell_quote($dirname);
> + PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', '--', PVE::Tools::shell_quote($dirname)],
> errmsg => "mkdir failed");
You save the shell quoted dirname here in a variable $quoted_dir but use
the shell_quote sub another time when running the command instead of
using the variable.
>
> - $cmd = ['/usr/bin/scp', @ssh_options, $tmpfilename, "$remip:$dest"];
> + $cmd = ['/usr/bin/scp', @ssh_options, '--', $tmpfilename, "[$remip]:" . PVE::Tools::shell_quote($dest)];
> } else {
> PVE::Storage::activate_storage($cfg, $param->{storage});
> File::Path::make_path($dirname);
> - $cmd = ['cp', $tmpfilename, $dest];
> + $cmd = ['cp', '--', $tmpfilename, $dest];
> }
>
> my $worker = sub {
More information about the pve-devel
mailing list