file/volume size info: add actual errors to untaint messages

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/PVE/Storage/PBSPlugin.pm b/PVE/Storage/PBSPlugin.pm
index 19629eebbf6a2c22366531088dd5090aecdebe8f..bb1c3821fef6f90c9378a8a77940d73c69edcb47 100644 (file)
--- a/PVE/Storage/PBSPlugin.pm
+++ b/PVE/Storage/PBSPlugin.pm
@@ -811,7 +811,7 @@ sub volume_size_info {
 
     my $size = 0;
     foreach my $info (@$data) {
-       if ($info->{size} && $info->{size} =~ /^(\d+)$/) {
+       if ($info->{size} && $info->{size} =~ /^(\d+)$/) { # untaints
            $size += $1;
        }
     }

diff --git a/PVE/Storage/Plugin.pm b/PVE/Storage/Plugin.pm
index b1165f75bcf592ee602a1b5613172799e7ab3c90..44697eceb53efdbbf6f6a5ea446d17411616b20e 100644 (file)
--- a/PVE/Storage/Plugin.pm
+++ b/PVE/Storage/Plugin.pm
@@ -837,11 +837,11 @@ sub file_size_info {
 
     my ($size, $format, $used, $parent) = $info->@{qw(virtual-size format actual-size backing-filename)};
 
-    ($size) = ($size =~ /^(\d+)$/); #untaint
-    ($used) = ($used =~ /^(\d+)$/); #untaint
-    ($format) = ($format =~ /^([-\w]+)$/); #untaint
+    ($size) = ($size =~ /^(\d+)$/) or die "size '$size' not an integer\n"; # untaint
+    ($used) = ($used =~ /^(\d+)$/) or die "used '$used' not an integer\n"; # untaint
+    ($format) = ($format =~ /^(\S+)$/) or die "format '$format' includes whitespace\n"; # untaint
     if (defined($parent)) {
-       ($parent) = ($parent =~ /^(.*)$/); #untaint
+       ($parent) = ($parent =~ /^(\S+)$/) or die "parent '$parent' includes whitespace\n"; # untaint
     }
     return wantarray ? ($size, $format, $used, $parent, $st->ctime) : $size;
 }