[pve-devel] [PATCH firewall] prevent overwriting ipsets/sec. groups by renaming
Dominik Csapak
d.csapak at proxmox.com
Fri Jun 3 16:11:27 CEST 2016
we did not check if the target name of the group/ipset
already existed, so we overwrote them
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
src/PVE/API2/Firewall/Groups.pm | 5 +++++
src/PVE/API2/Firewall/IPSet.pm | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/src/PVE/API2/Firewall/Groups.pm b/src/PVE/API2/Firewall/Groups.pm
index 99ea418..dfc181c 100644
--- a/src/PVE/API2/Firewall/Groups.pm
+++ b/src/PVE/API2/Firewall/Groups.pm
@@ -101,6 +101,11 @@ __PACKAGE__->register_method({
raise_param_exc({ group => "Security group '$param->{rename}' does not exists" })
if !$cluster_conf->{groups}->{$param->{rename}};
+ # prevent overwriting an existing group
+ raise_param_exc({ group => "Security group '$param->{group}' does already exist" })
+ if $cluster_conf->{groups}->{$param->{group}} &&
+ $param->{group} ne $param->{rename};
+
my $data = delete $cluster_conf->{groups}->{$param->{rename}};
$cluster_conf->{groups}->{$param->{group}} = $data;
if (my $comment = delete $cluster_conf->{group_comments}->{$param->{rename}}) {
diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index 1266fd1..6129c9d 100644
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -587,6 +587,11 @@ sub register_create {
raise_param_exc({ name => "IPSet '$param->{rename}' does not exists" })
if !$fw_conf->{ipset}->{$param->{rename}};
+ # prevent overwriting existing ipset
+ raise_param_exc({ name => "IPSet '$param->{name}' does already exist"})
+ if $fw_conf->{ipset}->{$param->{name}} &&
+ $param->{name} ne $param->{rename};
+
my $data = delete $fw_conf->{ipset}->{$param->{rename}};
$fw_conf->{ipset}->{$param->{name}} = $data;
if (my $comment = delete $fw_conf->{ipset_comments}->{$param->{rename}}) {
--
2.1.4
More information about the pve-devel
mailing list