render_bytes: check format, untaint before calling sprintf

author Dietmar Maurer <dietmar@proxmox.com>

Mon, 6 Aug 2018 11:05:23 +0000 (13:05 +0200)

committer Dietmar Maurer <dietmar@proxmox.com>

Mon, 6 Aug 2018 11:16:44 +0000 (13:16 +0200)
author Dietmar Maurer <dietmar@proxmox.com>
Mon, 6 Aug 2018 11:05:23 +0000 (13:05 +0200)
committer Dietmar Maurer <dietmar@proxmox.com>
Mon, 6 Aug 2018 11:16:44 +0000 (13:16 +0200)
diff --git a/src/PVE/CLIFormatter.pm b/src/PVE/CLIFormatter.pm

index dfc3679ad0a9330d1fc17d954cdeca432b934300..2c10318d3b7c8e9a2e32c0e6e10fd2c366698c4e 100644 (file)
--- a/src/PVE/CLIFormatter.pm
+++ b/src/PVE/CLIFormatter.pm
@@ -69,6 +69,9 @@ PVE::JSONSchema::register_renderer(
  sub render_bytes {
      my ($value) = @_;
  
  sub render_bytes {
      my ($value) = @_;
  
+    return $value if $value !~ m/^(\d+)$/;
+    $value = int($1); # untaint for sprintf
+
      my @units = qw(B KiB MiB GiB TiB PiB);
  
      my $max_unit = 0;
      my @units = qw(B KiB MiB GiB TiB PiB);
  
      my $max_unit = 0;
author	Dietmar Maurer <dietmar@proxmox.com>
	Mon, 6 Aug 2018 11:05:23 +0000 (13:05 +0200)
committer	Dietmar Maurer <dietmar@proxmox.com>
	Mon, 6 Aug 2018 11:16:44 +0000 (13:16 +0200)