projects / ganeti-local / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security issue: add validation of script names
[ganeti-local] / lib / utils.py
diff --git a/lib/utils.py b/lib/utils.py
index f6c00ee..6dc5d14 100644 (file)
--- a/lib/utils.py
+++ b/lib/utils.py
@@ -1190,8 +1190,16 @@ def FindFile(name, search_path, test=os.path.exists):
     - None otherwise
 
   """
+  # validate the filename mask
+  if constants.EXT_PLUGIN_MASK.match(name) is None:
+    logger.Error("Invalid value passed for external script name: '%s'" %
+                 name)
+    return None
+
   for dir_name in search_path:
     item_name = os.path.sep.join([dir_name, name])
-    if test(item_name):
+    # check the user test and that we're indeed resolving to the given
+    # basename
+    if test(item_name) and os.path.basename(item_name) == name:
       return item_name
   return None
Unnamed repository; edit this file 'description' to name the repository.