diff --git a/PVE/Storage/PBSPlugin.pm b/PVE/Storage/PBSPlugin.pm
index abc6a02..19629ee 100644
--- a/PVE/Storage/PBSPlugin.pm
+++ b/PVE/Storage/PBSPlugin.pm
@@ -811,7 +811,9 @@ sub volume_size_info {
 
     my $size = 0;
     foreach my $info (@$data) {
-	$size += $info->{size} if $info->{size};
+	if ($info->{size} && $info->{size} =~ /^(\d+)$/) {
+	    $size += $1;
+	}
     }
 
     my $used = $size;
diff --git a/PVE/Storage/Plugin.pm b/PVE/Storage/Plugin.pm
index 15bf916..b1165f7 100644
--- a/PVE/Storage/Plugin.pm
+++ b/PVE/Storage/Plugin.pm
@@ -837,6 +837,12 @@ sub file_size_info {
 
     my ($size, $format, $used, $parent) = $info->@{qw(virtual-size format actual-size backing-filename)};
 
+    ($size) = ($size =~ /^(\d+)$/); #untaint
+    ($used) = ($used =~ /^(\d+)$/); #untaint
+    ($format) = ($format =~ /^([-\w]+)$/); #untaint
+    if (defined($parent)) {
+	($parent) = ($parent =~ /^(.*)$/); #untaint
+    }
     return wantarray ? ($size, $format, $used, $parent, $st->ctime) : $size;
 }