From fc015f3d9c83dbed9bd0f07dddab32b3ba93e494 Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Wed, 23 Jun 2021 22:40:40 +0200
Subject: [PATCH] api: file download: limit filename length and encode it for
 the worker id

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 PVE/API2/Storage/Status.pm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/PVE/API2/Storage/Status.pm b/PVE/API2/Storage/Status.pm
index 50013a3..72fd851 100644
--- a/PVE/API2/Storage/Status.pm
+++ b/PVE/API2/Storage/Status.pm
@@ -525,6 +525,7 @@ __PACKAGE__->register_method({
 	    },
 	    filename => {
 		description => "The name of the file to create. Caution: This will be normalized!",
+		maxLength => 255,
 		type => 'string',
 	    },
 	    checksum => {
@@ -607,7 +608,9 @@ __PACKAGE__->register_method({
 	    PVE::Tools::download_file_from_url("$path/$filename", $url, $opts);
 	};
 
-	return $rpcenv->fork_worker('download', $filename, $user, $worker);
+	my $worker_id = PVE::Tools::encode_text($filename); # must not pass : or the like as w-ID
+
+	return $rpcenv->fork_worker('download', $worker_id, $user, $worker);
     }});
 
 1;