From 249d331c3c4d43d491e22614edd164906ca25df2 Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Sun, 19 Feb 2017 10:47:05 +0100
Subject: borg-restore.pl: Untaint archive name in restore()

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 borg-restore.pl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/borg-restore.pl b/borg-restore.pl
index 5479ba4..5ac2682 100755
--- a/borg-restore.pl
+++ b/borg-restore.pl
@@ -256,6 +256,7 @@ sub restore {
 
 	$destination = untaint($destination, qr(.*));
 	$path = untaint($path, qr(.*));
+	my $archive_name = untaint($archive->{archive}, qr([a-zA-Z0-9-]+));
 
 	printf "Restoring %s to %s from archive %s\n", $path, $destination, $archive->{archive};
 
@@ -271,7 +272,7 @@ sub restore {
 	$final_destination = untaint($final_destination, qr(.*));
 	debug("Removing ".$final_destination);
 	File::Path::remove_tree($final_destination);
-	system(qw(borg extract -v --strip-components), $components_to_strip, "::".$archive->{archive}, $path);
+	system(qw(borg extract -v --strip-components), $components_to_strip, "::".$archive_name, $path);
 }
 
 sub get_cache_dir {
-- 
cgit v1.2.3-24-g4f1b