From bf5e9f8440cf4ae5d7dd9bf36a4e53ac5f5a74da Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Thu, 26 Jul 2018 10:45:25 +0200
Subject: [PATCH] PVE::ACME - untaint saved account data

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
---
 src/PVE/ACME.pm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
index e827aa9..38a14a5 100644
--- a/src/PVE/ACME.pm
+++ b/src/PVE/ACME.pm
@@ -152,7 +152,9 @@ sub load {
     my ($self) = @_;
     return if $self->{loaded};
     $self->{loaded} = 1;
-    my $data = fromjs(file_get_contents($self->{path}));
+    my $raw = file_get_contents($self->{path});
+    if ($raw =~ m/^(.*)$/s) { $raw = $1; }  # untaint
+    my $data = fromjs($raw);
     $self->{$_} = $data->{$_} for @SAVED_VALUES;
     if (defined(my $keystr = $data->{key})) {
 	my $key = Crypt::OpenSSL::RSA->new_private_key($keystr);