Untaint results from escapeshellarg.

05290a50 · Kevin Atkinson · a2486b1c · 05290a50
Commit 05290a50 authored May 08, 2008 by Kevin Atkinson
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

db/User.pm.in db/User.pm.in +2 -1

No files found.
--- a/db/User.pm.in
+++ b/db/User.pm.in
@@ -1466,7 +1466,8 @@ sub escapeshellarg($)
    my ($str) = @_;

    $str =~ s/[^[:alnum:]]/\\$&/g;
-    return $str;
+    $str =~ /^(.+)$/; # untaint the result
+    return $1;
 }

 # _Always_ make sure that this 1 is at the end of the file...