[pve-devel] [PATCH pve-storage] upload API: safer filename handling

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Aug 18 13:36:30 CEST 2015


> @@ -382,14 +382,15 @@ __PACKAGE__->register_method ({
>   	    };
>   	    die "can't activate storage '$param->{storage}' on node '$node'\n" if $@;
>   
> - 	    PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', $dirname],
> +	    my $quoted_dir = PVE::Tools::shell_quote($dirname);
> + 	    PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', '--', PVE::Tools::shell_quote($dirname)],
>   				    errmsg => "mkdir failed");
You save the shell quoted dirname here in a variable $quoted_dir but use 
the shell_quote sub another time when running the command instead of 
using the variable.
>    
> -	    $cmd = ['/usr/bin/scp', @ssh_options, $tmpfilename, "$remip:$dest"];
> +	    $cmd = ['/usr/bin/scp', @ssh_options, '--', $tmpfilename, "[$remip]:" . PVE::Tools::shell_quote($dest)];
>   	} else {
>   	    PVE::Storage::activate_storage($cfg, $param->{storage});
>   	    File::Path::make_path($dirname);
> -	    $cmd = ['cp', $tmpfilename, $dest];
> +	    $cmd = ['cp', '--', $tmpfilename, $dest];
>   	}
>   
>   	my $worker = sub  {





More information about the pve-devel mailing list