From a91ee28fe5abd92080260d66078f88d05ff4f4f0 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Mon, 6 Aug 2018 13:05:23 +0200
Subject: [PATCH] render_bytes: check format, untaint before calling sprintf

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
---
 src/PVE/CLIFormatter.pm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/PVE/CLIFormatter.pm b/src/PVE/CLIFormatter.pm
index dfc3679..2c10318 100644
--- a/src/PVE/CLIFormatter.pm
+++ b/src/PVE/CLIFormatter.pm
@@ -69,6 +69,9 @@ PVE::JSONSchema::register_renderer(
 sub render_bytes {
     my ($value) = @_;
 
+    return $value if $value !~ m/^(\d+)$/;
+    $value = int($1); # untaint for sprintf
+
     my @units = qw(B KiB MiB GiB TiB PiB);
 
     my $max_unit = 0;
-- 
2.39.2