From 18f12629744851710afa98dee653f0fe8bd243f9 Mon Sep 17 00:00:00 2001 From: "Kyle J. McKay" Date: Fri, 5 Mar 2021 02:51:23 -0700 Subject: [PATCH] Project.pm/User.pm: split validated match not $_ In the get_full_list_extended functions, split the validated pattern match capture rather than $_. That way it's untainted. Signed-off-by: Kyle J. McKay --- Girocco/Project.pm | 2 +- Girocco/User.pm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Girocco/Project.pm b/Girocco/Project.pm index efc5d8e..559f773 100644 --- a/Girocco/Project.pm +++ b/Girocco/Project.pm @@ -1799,7 +1799,7 @@ sub get_full_list { # will recover the _exact_ original line from the group file for that entry sub get_full_list_extended { open my $fd, '<', jailed_file("/etc/group") or die "getting project list failed: $!"; - my @projects = map {chomp; /^([^:_\s#][^:\s#]*):[^:]*:[1-9]\d{4,}:/ ? [split(/:/,$_,-1)] : ()} <$fd>; + my @projects = map {chomp; /^([^:_\s#][^:\s#]*:[^:]*:[1-9]\d{4,}:.*)$/ ? [split(/:/,$1,-1)] : ()} <$fd>; close $fd; @projects; } diff --git a/Girocco/User.pm b/Girocco/User.pm index 2bbb713..42f25ba 100644 --- a/Girocco/User.pm +++ b/Girocco/User.pm @@ -493,7 +493,7 @@ sub get_full_list { # will recover the _exact_ original line from the passwd file for that entry sub get_full_list_extended { open my $fd, '<', jailed_file("/etc/passwd") or die "getting user list failed: $!"; - my @users = map {chomp; /^([^:_\s#][^:\s#]*):[^:]*:[1-9]\d{4,}:/ ? [split(/:/,$_,-1)] : ()} <$fd>; + my @users = map {chomp; /^([^:_\s#][^:\s#]*:[^:]*:[1-9]\d{4,}:.*)$/ ? [split(/:/,$1,-1)] : ()} <$fd>; close $fd; @users; } -- 2.11.4.GIT