X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=tools%2Fdebianqueued-0.9%2Fdebianqueued;h=f9da96fa69f8776f7f8f3e65f67daaaf5fbeb6c9;hb=10e1a17a6c7c0dbfc3a7b20f37a23ee153b25b66;hp=3e6400f827f15da5ee4084a7c04e945ac149027d;hpb=603f58ac2e830affd10fef8ae98f6c3c6f499780;p=dak.git

diff --git a/tools/debianqueued-0.9/debianqueued b/tools/debianqueued-0.9/debianqueued
index 3e6400f8..f9da96fa 100755
--- a/tools/debianqueued-0.9/debianqueued
+++ b/tools/debianqueued-0.9/debianqueued
@@ -1132,6 +1132,8 @@ outer_loop: while (<CHANGES>) {
 sub process_dak_commands {
   my $commands = shift;
 
+  msg("log", "processing ${main::current_incoming_short}/$commands\n");
+
   # TODO: get mail address from signed contents
   # and NOT implement a third parser for armored PGP...
   $main::mail_addr = undef;
@@ -1706,6 +1708,13 @@ sub pgp_check($) {
   my $stat;
   local (*PIPE);
 
+  if ($file =~ /^([-\w.+~]+)$/) {
+    $file = $1;
+  } else {
+    msg( "log", "Tainted filename, skipping: $file\n" );
+    return "LOCAL ERROR";
+  }
+
   $stat = 1;
   if ( -x $conf::gpg ) {
     debug(   "executing $conf::gpg --no-options --batch "