Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
my $size = 0;
foreach my $info (@$data) {
my $size = 0;
foreach my $info (@$data) {
- if ($info->{size} && $info->{size} =~ /^(\d+)$/) {
+ if ($info->{size} && $info->{size} =~ /^(\d+)$/) { # untaints
my ($size, $format, $used, $parent) = $info->@{qw(virtual-size format actual-size backing-filename)};
my ($size, $format, $used, $parent) = $info->@{qw(virtual-size format actual-size backing-filename)};
- ($size) = ($size =~ /^(\d+)$/); #untaint
- ($used) = ($used =~ /^(\d+)$/); #untaint
- ($format) = ($format =~ /^([-\w]+)$/); #untaint
+ ($size) = ($size =~ /^(\d+)$/) or die "size '$size' not an integer\n"; # untaint
+ ($used) = ($used =~ /^(\d+)$/) or die "used '$used' not an integer\n"; # untaint
+ ($format) = ($format =~ /^(\S+)$/) or die "format '$format' includes whitespace\n"; # untaint
- ($parent) = ($parent =~ /^(.*)$/); #untaint
+ ($parent) = ($parent =~ /^(\S+)$/) or die "parent '$parent' includes whitespace\n"; # untaint
}
return wantarray ? ($size, $format, $used, $parent, $st->ctime) : $size;
}
}
return wantarray ? ($size, $format, $used, $parent, $st->ctime) : $size;
}