[pve-devel] [RFC/PATCH storage] Fix #1925: untaint rbd JSON output

Dietmar Maurer dietmar at proxmox.com
Wed Sep 19 06:42:56 CEST 2018


> Not quite sure whether this approach is not too liberal.
> It does fix the bug reported, thus I'm sending it as an RFC.

It easy to improve a bit more, like:

    my $result = $raw ne '' ? JSON::decode_json($raw) : [];
+    my $result;
+    if ($raw eq '') {
+       $result = [];
+    } elsif ($raw =~ m/^(\[.*\])$/s) { # untaint
+       $result = JSON::decode_json($1);
+    } else {
+       die "got unexpected data from rbd ls: '$raw'\n";
+    }

will send an improved patch.



More information about the pve-devel mailing list