Project

General

Profile

0001-fixes-6086-CVE-2014-0007-fixed-TFTP-boot-API-remote-.patch

Patch v1 - Lukas Zapletal, 06/06/2014 10:31 AM

View differences:

lib/proxy/tftp.rb
98 98
  class << self
99 99
    include Proxy::Util
100 100
    def fetch_boot_file dst, src
101
      filename    = src.split("/")[-1]
102
      destination = Pathname.new("#{SETTINGS.tftproot}/#{dst}-#{filename}")
101
      filename    = escape_for_filename(dst + '-' + src.split("/")[-1])
102
      destination = Pathname.new("#{SETTINGS.tftproot}/#{filename}")
103 103

  
104 104
      # Ensure that our image directory exists
105 105
      # as the dst might contain another sub directory
106 106
      FileUtils.mkdir_p destination.parent
107 107

  
108 108
      wget = which("wget")
109
      cmd = "#{wget} --timeout=10 --tries=3 --no-check-certificate -nv -c #{src} -O \"#{destination}\""
109
      cmd = "#{wget} --timeout=10 --tries=3 --no-check-certificate -nv -c #{escape_for_shell(src)} -O \"#{escape_for_shell(destination)}\""
110 110
      CommandTask.new(cmd)
111 111
    end
112 112
  end
lib/proxy/util.rb
90 90
    end
91 91
  end
92 92

  
93
  def escape_for_filename(string)
94
    string.gsub(/[\/\0]/n, '_')
95
  end
96

  
93 97
  def strict_encode64(str)
94 98
    if Base64.respond_to?(:strict_encode64)
95 99
      Base64.strict_encode64(str)
96
-