fix tainted input in backup_cfs_database

[pve-cluster.git] / data / PVE / Cluster.pm

diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
index 27b1c97206223fbe14a2f7da6a91ffe869bdf3c9..fabf5bcf16978f84022a5f46f6dec1aacdde753f 100644 (file)
--- a/data/PVE/Cluster.pm
+++ b/data/PVE/Cluster.pm
@@ -1762,6 +1762,7 @@ my $backup_cfs_database = sub {
 
     if ((my $count = scalar(@$backups)) > $maxfiles) {
        foreach my $f (@$backups[$maxfiles..$count-1]) {
+           next if $f !~ m/^(\S+)$/; # untaint
            print "delete old backup '$1'\n";
            unlink $1;
        }