]> err.no Git - dak/commitdiff
sanitize variable before using it
authorJoerg Jaspert <joerg@debian.org>
Wed, 5 Dec 2012 22:20:48 +0000 (23:20 +0100)
committerJoerg Jaspert <joerg@debian.org>
Wed, 5 Dec 2012 22:20:48 +0000 (23:20 +0100)
Signed-off-by: Joerg Jaspert <joerg@debian.org>
tools/debianqueued-0.9/debianqueued

index 45f1242781fe7bc54948fa66a19ad215957b2e22..f9da96fa69f8776f7f8f3e65f67daaaf5fbeb6c9 100755 (executable)
@@ -1708,6 +1708,13 @@ sub pgp_check($) {
   my $stat;
   local (*PIPE);
 
+  if ($file =~ /^([-\w.+~]+)$/) {
+    $file = $1;
+  } else {
+    msg( "log", "Tainted filename, skipping: $file\n" );
+    return "LOCAL ERROR";
+  }
+
   $stat = 1;
   if ( -x $conf::gpg ) {
     debug(   "executing $conf::gpg --no-options --batch "