[pve-devel] applied: [PATCH common v2] untaint df return values

[Thomas Lamprecht]

applied, with a Co-authored-by me (so that you do not get the full
blame for my hash slice proposal ;) )

On 4/24/18 10:15 AM, Dominik Csapak wrote:
> since we sometimes use their length in a format string for printf
> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> changes from v1:
> * used map style like thomas described (with a fix for definedness)
>  src/PVE/Tools.pm | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm
> index d5373a4..6a2dae4 100644
> --- a/src/PVE/Tools.pm
> +++ b/src/PVE/Tools.pm
> @@ -986,10 +986,14 @@ sub df {
>      my $res = eval { run_fork_with_timeout($timeout, $df) } // {};
>      warn $@ if $@;
>  
> +    # untaint the values
> +    my ($blocks, $used, $bavail) = map { defined($_) ? (/^(\d+)$/) : 0 }
> +	$res->@{qw(blocks used bavail)};
> +
>      return {
> -	total => $res->{blocks} // 0,
> -	used => $res->{used} // 0,
> -	avail => $res->{bavail} // 0,
> +	total => $blocks,
> +	used => $used,
> +	avail => $bavail,
>      };
>  }
>  
>