proxmox-mirrors/pve-common
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-common synced 2025-04-28 18:43:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

tools: upid decode: do not allow slashes in UPIDs

Browse Source 
The current regex allows slashes as part of the fields $dtype, $id, and
$user. If the given UPID matches the regex, the UPID is used to
construct the task log filename. Hence, slashes in the UPID allow a
limited form of path traversal and will write the task log to a
directory other than /var/log/pve/tasks/subdir/X. While slashes are not
expected to appear in these fields under normal circumstances, add a
safeguard against such conditions and disallow slashes in the three
fields. UPIDs with slashes will then fail with "unable to parse worker
upid [...]".

Patch best viewed with

        git show -p --word-diff-regex=.

Signed-off-by: Friedrich Weber <f.weber@proxmox.com>
This commit is contained in:
Friedrich Weber 2025-03-31 11:20:29 +02:00 committed by Thomas Lamprecht
parent f5b2eacd1b
commit b24661939c
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/PVE/Tools.pm
View File

@ -1183,7 +1183,7 @@ sub upid_decode {
# "UPID:$node:$pid:$pstart:$startime:$dtype:$id:$user"
# Note: allow up to 9 characters for pstart (work until 20 years uptime)
if ($upid =~ m/^UPID:([a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?):([0-9A-Fa-f]{8}):([0-9A-Fa-f]{8,9}):([0-9A-Fa-f]{8}):([^:\s]+):([^:\s]*):([^:\s]+):$/) {
if ($upid =~ m|^UPID:([a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?):([0-9A-Fa-f]{8}):([0-9A-Fa-f]{8,9}):([0-9A-Fa-f]{8}):([^:\s/]+):([^:\s/]*):([^:\s/]+):$|) {
$res->{node} = $1;
$res->{pid} = hex($3);
$res->{pstart} = hex($4);