From: Dietmar Maurer <dietmar@proxmox.com>
Date: Wed, 6 Jun 2012 11:06:51 +0000 (+0200)
Subject: untaint path
X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=commitdiff_plain;h=1e15ebe7b535fde0da6205dff7efda781f1aaca9

untaint path
---

diff --git a/Makefile b/Makefile
index bbea6a9..2ffede4 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@ RELEASE=2.1
 
 VERSION=1.0
 PACKAGE=libpve-access-control
-PKGREL=23
+PKGREL=24
 
 DESTDIR=
 PREFIX=/usr
diff --git a/PVE/RPCEnvironment.pm b/PVE/RPCEnvironment.pm
index 7532e9e..faa4fb2 100644
--- a/PVE/RPCEnvironment.pm
+++ b/PVE/RPCEnvironment.pm
@@ -304,6 +304,9 @@ sub check_volume_access {
 	    if $user ne 'root@pam';
 
 	$path = abs_path($volid);
+	if ($path =~ m|^(/.+)$|) {
+	    $path = $1; # untaint any path
+	}
     }
     return $path;
 }
diff --git a/changelog.Debian b/changelog.Debian
index 6d442f3..4517038 100644
--- a/changelog.Debian
+++ b/changelog.Debian
@@ -1,3 +1,9 @@
+libpve-access-control (1.0-24) unstable; urgency=low
+
+  * untaint path (allow root to restore arbitrary paths)
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 06 Jun 2012 13:06:34 +0200
+
 libpve-access-control (1.0-23) unstable; urgency=low
 
   * correctly compute GUI capabilities (consider pools)