On 11/17/24 16:16, Thomas Lamprecht wrote:
Am 15.11.24 um 16:17 schrieb Dominik Csapak:
if the base image (parent) of an image contains whitespace in it's path
(e.g. a space), the current untainting would not match and it would seem
there was no parent.
do we really want all spaces like newline too? Those sometimes can cause odd
things when printing to CLI or the like, so maybe just add space explicitly?
Like with: /^([ \S]+)$/
mhmm i agree that there might be some characters that can make problem.
in that case I'd rather just 'die' if we encounter a base image with
problematic characters,
instead of treating it as having no parent?
I can't exactly remember the context of this patch, but we now disallow
base images for imported volumes altogether, so not sure if it is still
necessary
to allow such paths for parents
(file based storages can't have a space in the path, and neither can have
volume ids
created with our api)
Fix that by adapting the untaint regex
Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
---
src/PVE/Storage/Plugin.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Storage/Plugin.pm b/src/PVE/Storage/Plugin.pm
index eed764d..761783f 100644
--- a/src/PVE/Storage/Plugin.pm
+++ b/src/PVE/Storage/Plugin.pm
@@ -1031,7 +1031,7 @@ sub file_size_info {
($format) = ($format =~ /^(\S+)$/); # untaint
die "format '$format' includes whitespace\n" if !defined($format);
if (defined($parent)) {
- ($parent) = ($parent =~ /^(\S+)$/); # untaint
+ ($parent) = ($parent =~ /^(.*)$/); # untaint
}
return wantarray ? ($size, $format, $used, $parent, $st->ctime) : $size;
}
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
