[pve-devel] [PATCH pve-storage] upload API: safer filename handling
Wolfgang Bumiller
w.bumiller at proxmox.com
Tue Aug 18 13:53:11 CEST 2015
Ah yes, missed that when cleaning up.
> On August 18, 2015 at 1:36 PM Thomas Lamprecht <t.lamprecht at proxmox.com>
> wrote:
>
>
>
> > @@ -382,14 +382,15 @@ __PACKAGE__->register_method ({
> > };
> > die "can't activate storage '$param->{storage}' on node '$node'\n" if
> > $@;
> >
> > - PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', $dirname],
> > + my $quoted_dir = PVE::Tools::shell_quote($dirname);
> > + PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', '--',
> > PVE::Tools::shell_quote($dirname)],
> > errmsg => "mkdir failed");
> You save the shell quoted dirname here in a variable $quoted_dir but use
> the shell_quote sub another time when running the command instead of
> using the variable.
> >
> > - $cmd = ['/usr/bin/scp', @ssh_options, $tmpfilename, "$remip:$dest"];
> > + $cmd = ['/usr/bin/scp', @ssh_options, '--', $tmpfilename, "[$remip]:"
> > . PVE::Tools::shell_quote($dest)];
> > } else {
> > PVE::Storage::activate_storage($cfg, $param->{storage});
> > File::Path::make_path($dirname);
> > - $cmd = ['cp', $tmpfilename, $dest];
> > + $cmd = ['cp', '--', $tmpfilename, $dest];
> > }
> >
> > my $worker = sub {
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list