sanitize variable before using it

[dak.git] / tools / debianqueued-0.9 / debianqueued

diff --git a/tools/debianqueued-0.9/debianqueued b/tools/debianqueued-0.9/debianqueued
index 3e6400f827f15da5ee4084a7c04e945ac149027d..f9da96fa69f8776f7f8f3e65f67daaaf5fbeb6c9 100755 (executable)
--- a/tools/debianqueued-0.9/debianqueued
+++ b/tools/debianqueued-0.9/debianqueued
@@ -1132,6 +1132,8 @@ outer_loop: while (<CHANGES>) {
 sub process_dak_commands {
   my $commands = shift;
 
+  msg("log", "processing ${main::current_incoming_short}/$commands\n");
+
   # TODO: get mail address from signed contents
   # and NOT implement a third parser for armored PGP...
   $main::mail_addr = undef;
@@ -1706,6 +1708,13 @@ sub pgp_check($) {
   my $stat;
   local (*PIPE);
 
+  if ($file =~ /^([-\w.+~]+)$/) {
+    $file = $1;
+  } else {
+    msg( "log", "Tainted filename, skipping: $file\n" );
+    return "LOCAL ERROR";
+  }
+
   $stat = 1;
   if ( -x $conf::gpg ) {
     debug(   "executing $conf::gpg --no-options --batch "