untaint df return values

[pve-common.git] / src / PVE / Tools.pm

diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm
index d5373a4246062887bd778f35f4d2ac9cf2bb8bd1..6a2dae46d37d8e4cfff2dd60b46f8a80ae4e2e84 100644 (file)
--- a/src/PVE/Tools.pm
+++ b/src/PVE/Tools.pm
@@ -986,10 +986,14 @@ sub df {
     my $res = eval { run_fork_with_timeout($timeout, $df) } // {};
     warn $@ if $@;
 
+    # untaint the values
+    my ($blocks, $used, $bavail) = map { defined($_) ? (/^(\d+)$/) : 0 }
+       $res->@{qw(blocks used bavail)};
+
     return {
-       total => $res->{blocks} // 0,
-       used => $res->{used} // 0,
-       avail => $res->{bavail} // 0,
+       total => $blocks,
+       used => $used,
+       avail => $bavail,
     };
 }