From 2c9f42f83376e8450e40ac61717babb414c78a95 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 25 Mar 2015 20:14:12 +0100 Subject: Untaint identity filenames. --- cli/icevault | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cli/icevault b/cli/icevault index 93a4768..eb8c343 100755 --- a/cli/icevault +++ b/cli/icevault @@ -339,7 +339,8 @@ sub getIdentityFile($) { $1 eq 'h' ? $h : $1 eq 'i' ? $i : die "Invalid placeholder %$1" }ge; - return $filename; + $filename =~ /\A(\p{Print}+)\z/ or error "Insecure C<%s>", $filename; # untaint $filename + return $1; } # Decrypt the given identity file and return the YAML-parsed form. -- cgit v1.2.3