[pve-devel] [PATCH v2 pve-storage] upload API: safer filename handling
Wolfgang Bumiller
w.bumiller at proxmox.com
Tue Aug 18 15:16:45 CEST 2015
Ah, the commit message isn't up to date either now:
I forgot to remove this part: ", and to make life easier ..." (up to the end of
the paragraph)
That's actually not the case (anymore).
> On August 18, 2015 at 1:54 PM Wolfgang Bumiller <w.bumiller at proxmox.com>
> wrote:
>
>
> Replace possibly-dangerous characters in uploaded filenames
> with underscores, this includes spaces, colons, commas,
> equal signs and any byte >= 128. Previously only spaces were
> turned into underscores.
>
> Also shell_quote the destination for scp, and to make life
> easier - since the destination directory is created with
> mkdir - drop the filename part on the scp command.
>
> Use '--' for some shell commands for safety.
>
> Use brackets around the scp destination for ipv6 support.
> ---
> PVE/API2/Storage/Status.pm | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/PVE/API2/Storage/Status.pm b/PVE/API2/Storage/Status.pm
> index 8f97c18..a15c630 100644
> --- a/PVE/API2/Storage/Status.pm
> +++ b/PVE/API2/Storage/Status.pm
> @@ -341,7 +341,7 @@ __PACKAGE__->register_method ({
>
> chomp $filename;
> $filename =~ s/^.*[\/\\]//;
> - $filename =~ s/\s/_/g;
> + $filename =~ s/[;:,=\s\x80-\xff]/_/g;
>
> my $path;
>
> @@ -373,7 +373,7 @@ __PACKAGE__->register_method ({
>
> my @ssh_options = ('-o', 'BatchMode=yes');
>
> - my @remcmd = ('/usr/bin/ssh', @ssh_options, $remip);
> + my @remcmd = ('/usr/bin/ssh', @ssh_options, $remip, '--');
>
> eval {
> # activate remote storage
> @@ -382,14 +382,14 @@ __PACKAGE__->register_method ({
> };
> die "can't activate storage '$param->{storage}' on node '$node'\n" if
> $@;
>
> - PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', $dirname],
> + PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', '--',
> PVE::Tools::shell_quote($dirname)],
> errmsg => "mkdir failed");
>
> - $cmd = ['/usr/bin/scp', @ssh_options, $tmpfilename, "$remip:$dest"];
> + $cmd = ['/usr/bin/scp', @ssh_options, '--', $tmpfilename, "[$remip]:" .
> PVE::Tools::shell_quote($dest)];
> } else {
> PVE::Storage::activate_storage($cfg, $param->{storage});
> File::Path::make_path($dirname);
> - $cmd = ['cp', $tmpfilename, $dest];
> + $cmd = ['cp', '--', $tmpfilename, $dest];
> }
>
> my $worker = sub {
> --
> 2.1.4
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list