From 3adb961c6f958fe7ceaab21d9916f361d70c244f Mon Sep 17 00:00:00 2001
From: Lukas Zapletal <lzap+git@redhat.com>
Date: Fri, 6 Jun 2014 12:30:52 +0200
Subject: [PATCH] fixes #6086 - CVE-2014-0007: fixed TFTP boot API remote code
 execution

---
 lib/proxy/tftp.rb | 6 +++---
 lib/proxy/util.rb | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/proxy/tftp.rb b/lib/proxy/tftp.rb
index de9b79f..212b292 100644
--- a/lib/proxy/tftp.rb
+++ b/lib/proxy/tftp.rb
@@ -98,15 +98,15 @@ module Proxy::TFTP
   class << self
     include Proxy::Util
     def fetch_boot_file dst, src
-      filename    = src.split("/")[-1]
-      destination = Pathname.new("#{SETTINGS.tftproot}/#{dst}-#{filename}")
+      filename    = escape_for_filename(dst + '-' + src.split("/")[-1])
+      destination = Pathname.new("#{SETTINGS.tftproot}/#{filename}")
 
       # Ensure that our image directory exists
       # as the dst might contain another sub directory
       FileUtils.mkdir_p destination.parent
 
       wget = which("wget")
-      cmd = "#{wget} --timeout=10 --tries=3 --no-check-certificate -nv -c #{src} -O \"#{destination}\""
+      cmd = "#{wget} --timeout=10 --tries=3 --no-check-certificate -nv -c #{escape_for_shell(src)} -O \"#{escape_for_shell(destination)}\""
       CommandTask.new(cmd)
     end
   end
diff --git a/lib/proxy/util.rb b/lib/proxy/util.rb
index 80a1bd7..eea4a27 100644
--- a/lib/proxy/util.rb
+++ b/lib/proxy/util.rb
@@ -90,6 +90,10 @@ module Proxy::Util
     end
   end
 
+  def escape_for_filename(string)
+    string.gsub(/[\/\0]/n, '_')
+  end
+
   def strict_encode64(str)
     if Base64.respond_to?(:strict_encode64)
       Base64.strict_encode64(str)
-- 
1.9.3