From 53ec90e23e2cc2fab7a6ea97a3248b3b093e7e8b Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 18 Aug 2015 13:54:06 +0200 Subject: [PATCH] upload API: safer filename handling Replace possibly-dangerous characters in uploaded filenames with underscores, this includes spaces, colons, commas, equal signs and any byte >= 128. Previously only spaces were turned into underscores. Also shell_quote the destination for scp. Use '--' for some shell commands for safety. Use brackets around the scp destination for ipv6 support. --- PVE/API2/Storage/Status.pm | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/PVE/API2/Storage/Status.pm b/PVE/API2/Storage/Status.pm index 8f97c18..e04e184 100644 --- a/PVE/API2/Storage/Status.pm +++ b/PVE/API2/Storage/Status.pm @@ -341,7 +341,7 @@ __PACKAGE__->register_method ({ chomp $filename; $filename =~ s/^.*[\/\\]//; - $filename =~ s/\s/_/g; + $filename =~ s/[;:,=\s\x80-\xff]/_/g; my $path; @@ -373,7 +373,7 @@ __PACKAGE__->register_method ({ my @ssh_options = ('-o', 'BatchMode=yes'); - my @remcmd = ('/usr/bin/ssh', @ssh_options, $remip); + my @remcmd = ('/usr/bin/ssh', @ssh_options, $remip, '--'); eval { # activate remote storage @@ -382,14 +382,14 @@ __PACKAGE__->register_method ({ }; die "can't activate storage '$param->{storage}' on node '$node'\n" if $@; - PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', $dirname], + PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', '--', PVE::Tools::shell_quote($dirname)], errmsg => "mkdir failed"); - $cmd = ['/usr/bin/scp', @ssh_options, $tmpfilename, "$remip:$dest"]; + $cmd = ['/usr/bin/scp', @ssh_options, '--', $tmpfilename, "[$remip]:" . PVE::Tools::shell_quote($dest)]; } else { PVE::Storage::activate_storage($cfg, $param->{storage}); File::Path::make_path($dirname); - $cmd = ['cp', $tmpfilename, $dest]; + $cmd = ['cp', '--', $tmpfilename, $dest]; } my $worker = sub {