Skip to content

Commit

Permalink
Fix command injection vulnerability in disk.usage
Browse files Browse the repository at this point in the history
  • Loading branch information
@techhat
techhat committed Oct 12, 2013
1 parent b89fa91 commit ebdef37
Showing 1 changed file with 8 additions and 1 deletion.
9 changes: 8 additions & 1 deletion salt/modules/disk.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,21 @@ def usage(args=None):
salt '*' disk.usage
'''
flags = ''
allowed = ('a', 'B', 'h', 'H', 'i', 'k', 'l', 'P', 't', 'T', 'x', 'v')
for flag in args:
if flag in allowed:
flags += flag
else:
break
if __grains__['kernel'] == 'Linux':
cmd = 'df -P'
elif __grains__['kernel'] == 'OpenBSD':
cmd = 'df -kP'
else:
cmd = 'df'
if args:
cmd = cmd + ' -' + args
cmd += ' -{0}'.format(flags)
ret = {}
out = __salt__['cmd.run'](cmd).splitlines()
for line in out:
Expand Down

0 comments on commit ebdef37

Please sign in to comment.