yesBad/pve-storage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

plugin: volume snapshot info: untaint snapshot filename

Browse Source 
Without untainting, offline-deleting a volume-chain snapshot on a
directory storage via the GUI fails with an "Insecure dependecy in
exec [...]" error, because volume_snapshot_delete uses the filename
its qemu-img invocation.

Signed-off-by: Friedrich Weber <f.weber@proxmox.com>
This commit is contained in:
Friedrich Weber
2025-07-25 17:48:57 +02:00
committed by Fabian Grünbichler
parent 43ec7bdfe6
commit 93f0dfbc75
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/PVE/Storage/Plugin.pm
View File

@ -1789,6 +1789,7 @@ sub volume_snapshot_info {
my $snapshots = $json_decode; my $snapshots = $json_decode;
for my $snap (@$snapshots) { for my $snap (@$snapshots) {
my $snapfile = $snap->{filename}; my $snapfile = $snap->{filename};
($snapfile) = $snapfile =~ m|^(/.*)|; # untaint
my $snapname = $get_snapname_from_path->($volname, $snapfile); my $snapname = $get_snapname_from_path->($volname, $snapfile);
#not a proxmox snapshot #not a proxmox snapshot
next if !$snapname; next if !$snapname;