Merge pull request #7776 from techhat/cmdinjection

Fix command injection flaw in disk.inodeusage
2024-11-08 09:23:56 +00:00 · 2013-10-11 18:50:46 -07:00 · 2013-10-11 18:50:46 -07:00 · aca78f3144
commit aca78f3144
parent 336ebcc2f2 8e5afe59ce
1 changed files with 10 additions and 1 deletions
--- a/salt/modules/disk.py
+++ b/salt/modules/disk.py
@ -95,9 +95,18 @@ def inodeusage(args=None):

        salt '*' disk.inodeusage
    '''
+    flags = ''
+    allowed = ('a', 'B', 'h', 'H', 'i', 'k', 'l', 'P', 't', 'T', 'x', 'v')
+    for flag in args:
+        if flag in allowed:
+            flags += flag
+        else:
+            raise CommandExecutionError(
+                'Invalid flag passed to disk.inodeusage'
+            )
    cmd = 'df -i'
    if args is not None:
-        cmd = cmd + ' -' + args
+        cmd += ' -{0}'.format(flags)
    ret = {}
    out = __salt__['cmd.run'](cmd).splitlines()
    for line in out: