untaint path

2025-08-05 05:30:54 +00:00 · 2012-06-06 13:06:51 +02:00 · 2012-06-06 13:06:51 +02:00 · 1e15ebe7b5
commit 1e15ebe7b5
parent 437be042c2
3 changed files with 10 additions and 1 deletions
--- a/2
+++ b/2
@ -2,7 +2,7 @@ RELEASE=2.1

 VERSION=1.0
 PACKAGE=libpve-access-control
-PKGREL=23
+PKGREL=24

 DESTDIR=
 PREFIX=/usr
--- a/PVE/RPCEnvironment.pm
+++ b/PVE/RPCEnvironment.pm
@ -304,6 +304,9 @@ sub check_volume_access {
 	    if $user ne 'root@pam';

 	$path = abs_path($volid);
+	if ($path =~ m|^(/.+)$|) {
+	    $path = $1; # untaint any path
+	}
    }
    return $path;
 }
--- a/changelog.Debian
+++ b/changelog.Debian
@ -1,3 +1,9 @@
+libpve-access-control (1.0-24) unstable; urgency=low
+
+  * untaint path (allow root to restore arbitrary paths)
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 06 Jun 2012 13:06:34 +0200
+
 libpve-access-control (1.0-23) unstable; urgency=low

  * correctly compute GUI capabilities (consider pools)