[pve-devel] [PATCH common] untaint df return values
Dominik Csapak
d.csapak at proxmox.com
Fri Apr 20 11:42:09 CEST 2018
since we sometimes use their length in a format string for printf
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
src/PVE/Tools.pm | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm
index d5373a4..a366d47 100644
--- a/src/PVE/Tools.pm
+++ b/src/PVE/Tools.pm
@@ -986,10 +986,15 @@ sub df {
my $res = eval { run_fork_with_timeout($timeout, $df) } // {};
warn $@ if $@;
+ #untaint the values
+ my ($blocks) = $res->{blocks} =~ m/^(\d+)$/ if $res->{blocks};
+ my ($used) = $res->{used} =~ m/^(\d+)$/ if $res->{used};
+ my ($bavail) = $res->{bavail} =~ m/^(\d+)$/ if $res->{bavail};
+
return {
- total => $res->{blocks} // 0,
- used => $res->{used} // 0,
- avail => $res->{bavail} // 0,
+ total => $blocks // 0,
+ used => $used // 0,
+ avail => $bavail // 0,
};
}
--
2.11.0
More information about the pve-devel
mailing list