[pve-devel] applied: [pve-common] PVE::ACME - untaint saved account data
Thomas Lamprecht
t.lamprecht at proxmox.com
Thu Jul 26 11:01:19 CEST 2018
Am 07/26/2018 um 10:45 AM schrieb Dietmar Maurer:
> Signed-off-by: Dietmar Maurer <dietmar at proxmox.com>
> ---
> src/PVE/ACME.pm | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
> index e827aa9..38a14a5 100644
> --- a/src/PVE/ACME.pm
> +++ b/src/PVE/ACME.pm
> @@ -152,7 +152,9 @@ sub load {
> my ($self) = @_;
> return if $self->{loaded};
> $self->{loaded} = 1;
> - my $data = fromjs(file_get_contents($self->{path}));
> + my $raw = file_get_contents($self->{path});
> + if ($raw =~ m/^(.*)$/s) { $raw = $1; } # untaint
> + my $data = fromjs($raw);
> $self->{$_} = $data->{$_} for @SAVED_VALUES;
> if (defined(my $keystr = $data->{key})) {
> my $key = Crypt::OpenSSL::RSA->new_private_key($keystr);
>
applied
More information about the pve-devel
mailing list