From b24661939c3e006a4870256ddd6386f134a677d7 Mon Sep 17 00:00:00 2001 From: Friedrich Weber Date: Mon, 31 Mar 2025 11:20:29 +0200 Subject: [PATCH] tools: upid decode: do not allow slashes in UPIDs The current regex allows slashes as part of the fields $dtype, $id, and $user. If the given UPID matches the regex, the UPID is used to construct the task log filename. Hence, slashes in the UPID allow a limited form of path traversal and will write the task log to a directory other than /var/log/pve/tasks/subdir/X. While slashes are not expected to appear in these fields under normal circumstances, add a safeguard against such conditions and disallow slashes in the three fields. UPIDs with slashes will then fail with "unable to parse worker upid [...]". Patch best viewed with git show -p --word-diff-regex=. Signed-off-by: Friedrich Weber --- src/PVE/Tools.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm index 57eb86c..761500d 100644 --- a/src/PVE/Tools.pm +++ b/src/PVE/Tools.pm @@ -1183,7 +1183,7 @@ sub upid_decode { # "UPID:$node:$pid:$pstart:$startime:$dtype:$id:$user" # Note: allow up to 9 characters for pstart (work until 20 years uptime) - if ($upid =~ m/^UPID:([a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?):([0-9A-Fa-f]{8}):([0-9A-Fa-f]{8,9}):([0-9A-Fa-f]{8}):([^:\s]+):([^:\s]*):([^:\s]+):$/) { + if ($upid =~ m|^UPID:([a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?):([0-9A-Fa-f]{8}):([0-9A-Fa-f]{8,9}):([0-9A-Fa-f]{8}):([^:\s/]+):([^:\s/]*):([^:\s/]+):$|) { $res->{node} = $1; $res->{pid} = hex($3); $res->{pstart} = hex($4);