From 86170e6b215b36e98dda5d174324d228a4839c59 Mon Sep 17 00:00:00 2001
From: Axel Burri <axel@tty0.ch>
Date: Sat, 2 Apr 2016 14:10:35 +0200
Subject: [PATCH] btrbk: bugfix: untaint result of system_realpath()

---
 btrbk | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/btrbk b/btrbk
index 2fb483e..1ee1fa7 100755
--- a/btrbk
+++ b/btrbk
@@ -1129,12 +1129,13 @@ sub system_realpath($)
                    );
   return undef unless(defined($ret));
 
-  unless($ret =~ /^$file_match$/) {
+  unless($ret =~ /^($file_match)$/) {
     ERROR "Failed to parse output of `realpath` for \"$vol->{PRINT}\": \"$ret\"";
     return undef;
   }
-  DEBUG "Real path for \"$vol->{PRINT}\" is: $ret";
-  return $ret;
+  my $realpath = $1; # untaint argument
+  DEBUG "Real path for \"$vol->{PRINT}\" is: $realpath";
+  return $realpath;
 }