From b5e62cd0b7c5fb567e5750ae56f739c9da29af43 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Mon, 29 Jun 2015 12:35:57 +0200
Subject: [PATCH] correctly untaint crontab filenames

---
 src/PVE/LXCSetup/Base.pm | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/PVE/LXCSetup/Base.pm b/src/PVE/LXCSetup/Base.pm
index 2ee9fa7..f7b2b1e 100644
--- a/src/PVE/LXCSetup/Base.pm
+++ b/src/PVE/LXCSetup/Base.pm
@@ -263,7 +263,13 @@ my $randomize_crontab = sub {
 
     my $rootdir = $self->{rootdir};
 
-    my @files = <$rootdir/etc/cron.d/*>;
+    my @files;
+    # Note: dir_glob_foreach() untaints filenames!
+    my $cron_dir = "$rootdir/etc/cron.d";
+    PVE::Tools::dir_glob_foreach($cron_dir, qr/[A-Z\-\_a-z0-9]+/, sub {
+	my ($name) = @_;
+	push @files, "$cron_dir/$name";
+    });
 
     my $crontab_fn = "$rootdir/etc/crontab";
     unshift @files, $crontab_fn if -f $crontab_fn;
-- 
2.39.5