diff options
author | des <des@FreeBSD.org> | 2005-07-29 11:28:03 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2005-07-29 11:28:03 +0000 |
commit | 8761731b8c8a76481424d638753f19b95116971c (patch) | |
tree | c7443de14a283b43a8a596b118ffacd6867f7158 | |
parent | 59a8e9095cf8a3790405749f90a2e6a2ed6c50ce (diff) | |
download | FreeBSD-src-8761731b8c8a76481424d638753f19b95116971c.zip FreeBSD-src-8761731b8c8a76481424d638753f19b95116971c.tar.gz |
In realpath(), make sure each path component consists only of safe
characters, and untaint it.
-rw-r--r-- | tools/tools/tinderbox/tbmaster.pl | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/tools/tools/tinderbox/tbmaster.pl b/tools/tools/tinderbox/tbmaster.pl index b48545f..71751a1 100644 --- a/tools/tools/tinderbox/tbmaster.pl +++ b/tools/tools/tinderbox/tbmaster.pl @@ -91,7 +91,9 @@ sub realpath($;$) { or die("unable to resolve symlink '$realpath/$part': $!\n"); $realpath = realpath($target, $realpath); } else { - $realpath .= "/$part"; + $part =~ m/^([\w.-]+)$/ + or die("unsafe path '$realpath/$part'\n"); + $realpath .= "/$1"; } } return $realpath; |