On 11/30/18 1:08 PM, Philippe Mathieu-Daudé wrote:
On 30/11/18 12:12, Gerd Hoffmann wrote:
Slash is unix directory separator, so they are not allowed in filenames.
Note this also stops the classic escape via "../".
Fixes: CVE-2018-16867
Reported-by: Michael Hanselmann (hansmi.ch)
It's common for scripts to match '<email>', can you write this one as
Michael Hanselmann <hansmi.ch>?
That's not an email address, though. Do we have an email for Michael, or
just a username?
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
