plugins: untaint volume_size_info retuns

the size returned by volume_size_info is used for creating the new
destination image in PVE::QemuServer::clone_disk (and probably
elsewhere). In certain cases the return values are tainted - they are
obtained by a run_command call and depending on the format and length
of the parsed output can still have their tainted attribute.

One example of a tainted return has been reported in our
community-forum:
https://forum.proxmox.com/threads/cannot-clone-vm-or-move-disk-with-more-than-13-snapshots.89628/

A qcow2 image with 13 snapshots generates a output > 4k in length from
`qemu-img info --output=json`, which in turn causes the output to be
considered tainted.

This patch untaints the returns where applicable. The other
storage-plugins are not affected:
* LVMPlugin returns a single number and a newline (thus gets untainted
  by run_command)
* RBDPlugin untaints the complete json before decoding
* ZFSPoolplugin and ISCSIDirectPlugin explicitly untaint their
  returns.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>

PVE/Storage/PBSPlugin.pm

@@ -811,7 +811,9 @@ sub volume_size_info {
 
     my $size = 0;
     foreach my $info (@$data) {
-	$size += $info->{size} if $info->{size};
+	if ($info->{size} && $info->{size} =~ /^(\d+)$/) {
+	    $size += $1;
+	}
     }
 
     my $used = $size;

PVE/Storage/Plugin.pm

@@ -837,6 +837,12 @@ sub file_size_info {
 
     my ($size, $format, $used, $parent) = $info->@{qw(virtual-size format actual-size backing-filename)};
 
+    ($size) = ($size =~ /^(\d+)$/); #untaint
+    ($used) = ($used =~ /^(\d+)$/); #untaint
+    ($format) = ($format =~ /^([-\w]+)$/); #untaint
+    if (defined($parent)) {
+	($parent) = ($parent =~ /^(.*)$/); #untaint
+    }
     return wantarray ? ($size, $format, $used, $parent, $st->ctime) : $size;
 }