PVE::ACME - untaint saved account data

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2025-08-04 17:56:46 +00:00 · 2018-07-26 10:45:25 +02:00 · 2018-07-26 10:45:25 +02:00 · bf5e9f8440
commit bf5e9f8440
parent 34d8999638
1 changed files with 3 additions and 1 deletions
--- a/src/PVE/ACME.pm
+++ b/src/PVE/ACME.pm
@ -152,7 +152,9 @@ sub load {
    my ($self) = @_;
    return if $self->{loaded};
    $self->{loaded} = 1;
-    my $data = fromjs(file_get_contents($self->{path}));
+    my $raw = file_get_contents($self->{path});
+    if ($raw =~ m/^(.*)$/s) { $raw = $1; }  # untaint
+    my $data = fromjs($raw);
    $self->{$_} = $data->{$_} for @SAVED_VALUES;
    if (defined(my $keystr = $data->{key})) {
 	my $key = Crypt::OpenSSL::RSA->new_private_key($keystr);