[pve-devel] [PATCH cluster 2/2] fix tainted input in backup_cfs_database
Thomas Lamprecht
t.lamprecht at proxmox.com
Mon Mar 12 09:26:27 CET 2018
We can call this module also now over the API through
pvedaemon/pveproxy which have tainting checks on.
Thus we need to untaint the "read existing backups" inputs,
as else this errors out here.
Only triggers when over 10 backups existed already, so this does
not triggers really often in the real world.
Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
data/PVE/Cluster.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
index 27b1c97..fabf5bc 100644
--- a/data/PVE/Cluster.pm
+++ b/data/PVE/Cluster.pm
@@ -1762,6 +1762,7 @@ my $backup_cfs_database = sub {
if ((my $count = scalar(@$backups)) > $maxfiles) {
foreach my $f (@$backups[$maxfiles..$count-1]) {
+ next if $f !~ m/^(\S+)$/; # untaint
print "delete old backup '$1'\n";
unlink $1;
}
--
2.14.2
More information about the pve-devel
mailing list