From 28f215f4950791b3b285dc176fefefbd105fdb73 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 25 Mar 2015 19:01:37 +0100 Subject: Untaint $ffdir/$profile. --- cli/icevault | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cli/icevault b/cli/icevault index 43b8e50..93a4768 100755 --- a/cli/icevault +++ b/cli/icevault @@ -162,7 +162,8 @@ sub connect($) { } closedir $dh; error "No Firefox profile found under C<%s>", $ffdir unless defined $profile; - $sockname = "$ffdir/$profile/$sockname"; + "$ffdir/$profile" =~ /\A(\p{Print}+)\z/ or error "Insecure C<%s>", "$ffdir/$profile"; # untaint $ffdir/$profile + $sockname = "$1/$sockname"; myprintf \*STDERR, "Using socket C<%s>", $sockname if $CONFIG{debug}; } -- cgit v1.2.3