[pve-devel] [PATCH common v2] untaint df return values
Dominik Csapak
d.csapak at proxmox.com
Tue Apr 24 10:15:14 CEST 2018
since we sometimes use their length in a format string for printf
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
changes from v1:
* used map style like thomas described (with a fix for definedness)
src/PVE/Tools.pm | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm
index d5373a4..6a2dae4 100644
--- a/src/PVE/Tools.pm
+++ b/src/PVE/Tools.pm
@@ -986,10 +986,14 @@ sub df {
my $res = eval { run_fork_with_timeout($timeout, $df) } // {};
warn $@ if $@;
+ # untaint the values
+ my ($blocks, $used, $bavail) = map { defined($_) ? (/^(\d+)$/) : 0 }
+ $res->@{qw(blocks used bavail)};
+
return {
- total => $res->{blocks} // 0,
- used => $res->{used} // 0,
- avail => $res->{bavail} // 0,
+ total => $blocks,
+ used => $used,
+ avail => $bavail,
};
}
--
2.11.0
More information about the pve-devel
mailing list