[pve-devel] [PATCH common v2] untaint df return values

Dominik Csapak Tue, 24 Apr 2018 01:16:23 -0700

since we sometimes use their length in a format string for printf

Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
---
changes from v1:
* used map style like thomas described (with a fix for definedness)
 src/PVE/Tools.pm | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)


diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm
index d5373a4..6a2dae4 100644
--- a/src/PVE/Tools.pm
+++ b/src/PVE/Tools.pm
@@ -986,10 +986,14 @@ sub df {
     my $res = eval { run_fork_with_timeout($timeout, $df) } // {};
     warn $@ if $@;
 
+    # untaint the values
+    my ($blocks, $used, $bavail) = map { defined($_) ? (/^(\d+)$/) : 0 }
+       $res->@{qw(blocks used bavail)};
+
     return {
-       total => $res->{blocks} // 0,
-       used => $res->{used} // 0,
-       avail => $res->{bavail} // 0,
+       total => $blocks,
+       used => $used,
+       avail => $bavail,
     };
 }
 
-- 
2.11.0


_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH common v2] untaint df return values

Reply via email to