[pve-devel] [pve-common] PVE::ACME - untaint saved account data

Dietmar Maurer dietmar at proxmox.com
Thu Jul 26 10:45:25 CEST 2018


Signed-off-by: Dietmar Maurer <dietmar at proxmox.com>
---
 src/PVE/ACME.pm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
index e827aa9..38a14a5 100644
--- a/src/PVE/ACME.pm
+++ b/src/PVE/ACME.pm
@@ -152,7 +152,9 @@ sub load {
     my ($self) = @_;
     return if $self->{loaded};
     $self->{loaded} = 1;
-    my $data = fromjs(file_get_contents($self->{path}));
+    my $raw = file_get_contents($self->{path});
+    if ($raw =~ m/^(.*)$/s) { $raw = $1; }  # untaint
+    my $data = fromjs($raw);
     $self->{$_} = $data->{$_} for @SAVED_VALUES;
     if (defined(my $keystr = $data->{key})) {
 	my $key = Crypt::OpenSSL::RSA->new_private_key($keystr);
-- 
2.11.0




More information about the pve-devel mailing list