mirror of
https://git.proxmox.com/git/pve-manager
synced 2025-06-03 22:58:50 +00:00
58f763e1aa
if passing the hook script command as string, it might get interpreted as shell command with side-effects. this is pretty harmless, since only root is allowed to set the script parameter anyway, but making it more robust and future-proof does not hurt. tested with a reproducer of "/bin/echo $(touch $(whoami))" as script parameter, with a file with that name existing, being executable and having the following contents: ----8<---- echo "hello from hook script" ---->8---- without this change, the hookscript itself is not executed, but '/bin/sh -c "/bin/echo $(touch $(whoami)) job"' and similar calls are, which cause the file 'root' to be touched in the current working directory of the vzdump process (or task worker). with this change, the file is executed as is without any side-effects of shell commands in the file name, and the 'hello from hook script' lines are printed whenever the hook script is called by vzdump. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> |
||
|---|---|---|
| .. | ||
| API2 | ||
| Ceph | ||
| CLI | ||
| Service | ||
| Status | ||
| .gitignore | ||
| API2.pm | ||
| API2Tools.pm | ||
| APLInfo.pm | ||
| AutoBalloon.pm | ||
| CertCache.pm | ||
| CertHelpers.pm | ||
| ExtMetric.pm | ||
| HTTPServer.pm | ||
| Makefile | ||
| NodeConfig.pm | ||
| pvecfg.pm.in | ||
| Report.pm | ||
| VZDump.pm | ||