[pve-devel] [pve-common] print_text_table: untaint $width

Dietmar Maurer dietmar at proxmox.com
Fri Jul 27 14:55:17 CEST 2018


The value of $width depends on possible untainted $data (for example
task logs read from external files).

Signed-off-by: Dietmar Maurer <dietmar at proxmox.com>
---
 src/PVE/CLIFormatter.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/PVE/CLIFormatter.pm b/src/PVE/CLIFormatter.pm
index ff0e264..d964b51 100644
--- a/src/PVE/CLIFormatter.pm
+++ b/src/PVE/CLIFormatter.pm
@@ -209,6 +209,8 @@ sub print_text_table {
 		$width = $len if $len > $width;
 	    }
 
+	    $width = ($width =~ m/^(\d+)$/) ? int($1) : 0; # untaint int
+
 	    $rowdata->{$prop} = {
 		lines => $lines,
 		width => $width,
-- 
2.11.0




More information about the pve-devel mailing list