[pve-devel] [PATCH pve-manager] Untaint the content of pve-replication-state.json.
Wolfgang Link
w.link at proxmox.com
Wed May 31 14:03:34 CEST 2017
JSON::decode will not untaint the raw text, so we get problems with the
last_sync, which we use many times in the code with open3.
---
PVE/Replication.pm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/PVE/Replication.pm b/PVE/Replication.pm
index 01111787..ce0c863f 100644
--- a/PVE/Replication.pm
+++ b/PVE/Replication.pm
@@ -64,7 +64,10 @@ my $read_state = sub {
return {} if $raw eq '';
- return decode_json($raw);
+ # untaint $raw
+ $raw =~ m/^({.*})$/;
+
+ return decode_json($1);
};
sub job_status {
--
2.11.0
More information about the pve-devel
mailing list