[pve-devel] [PATCH RFC container] include custom lxc options when displaying config

Dietmar Maurer dietmar at proxmox.com
Wed Jun 15 15:54:41 CEST 2016


> > 
> > > +				my $v = PVE::Tools::encode_text(@$lxc_opt[1]);
> > 
> > why do you call PVE::Tools::encode_text() here?
> 
> because this is an unvalidated, user provided value that is printed to the
> shell/terminal

IMHO that is not really dangerous

> (we do the same for the description). 

because we store them in this format, so the file content is exactly what is
printed.

> I can't think of anything really dangerous atm, but you can at least hide
> stuff (for example, lines or parts of lines) using terminal escape sequences.

Ah. but only root can add those lines?




More information about the pve-devel mailing list