From 595dfdc0a9c71f9eed27ce3eaacc7a5a658d5ada Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 14 Mar 2016 12:16:23 +0100 Subject: [PATCH] backup: add additional verification of backup header Ensure only alphanumeric characters are used. --- qubes/backup.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qubes/backup.py b/qubes/backup.py index 6a752ffe..e2773399 100644 --- a/qubes/backup.py +++ b/qubes/backup.py @@ -126,9 +126,13 @@ class BackupHeader(object): if untrusted_line.count('=') != 1: raise qubes.exc.QubesException("Invalid backup header") (key, value) = untrusted_line.strip().split('=') + if not re.match(r"^[a-zA-Z0-9-]*$", key): + raise qubes.exc.QubesException("Invalid backup header (key)") if key not in self.header_keys.keys(): # Ignoring unknown option continue + if not re.match(r"^[a-zA-Z0-9-]*$", value): + raise qubes.exc.QubesException("Invalid backup header (value)") if getattr(self, self.header_keys[key]) is not None: raise qubes.exc.QubesException( "Duplicated header line: {}".format(key))