]> git.proxmox.com Git - pve-access-control.git/blobdiff - PVE/RPCEnvironment.pm
projects / pve-access-control.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
untaint path
[pve-access-control.git] / PVE / RPCEnvironment.pm
diff --git a/PVE/RPCEnvironment.pm b/PVE/RPCEnvironment.pm
index 7532e9eca0245dd76f11d75dcd3c9c85081c840f..faa4fb2486e8ad5d5896cf862c1afe7da6154c8e 100644 (file)
--- a/PVE/RPCEnvironment.pm
+++ b/PVE/RPCEnvironment.pm
@@ -304,6 +304,9 @@ sub check_volume_access {
            if $user ne 'root@pam';
 
        $path = abs_path($volid);
+       if ($path =~ m|^(/.+)$|) {
+           $path = $1; # untaint any path
+       }
     }
     return $path;
 }
Access control framework