[pve-devel] [pve-common] print_text_table: untaint $width
Dietmar Maurer
dietmar at proxmox.com
Fri Jul 27 14:55:17 CEST 2018
The value of $width depends on possible untainted $data (for example
task logs read from external files).
Signed-off-by: Dietmar Maurer <dietmar at proxmox.com>
---
src/PVE/CLIFormatter.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/PVE/CLIFormatter.pm b/src/PVE/CLIFormatter.pm
index ff0e264..d964b51 100644
--- a/src/PVE/CLIFormatter.pm
+++ b/src/PVE/CLIFormatter.pm
@@ -209,6 +209,8 @@ sub print_text_table {
$width = $len if $len > $width;
}
+ $width = ($width =~ m/^(\d+)$/) ? int($1) : 0; # untaint int
+
$rowdata->{$prop} = {
lines => $lines,
width => $width,
--
2.11.0
More information about the pve-devel
mailing list