[pve-devel] [PATCH qemu-server] avoid harmful '<>' pattern, explicitly read from STDIN

Thomas Lamprecht t.lamprecht at proxmox.com
Mon Jan 22 10:52:11 CET 2018 

Fixes problems in CLIHandler using the code pattern:

while (my $line = <>) {
    ...
}

For why this causes only _now_ problems lets first look how <>
behaves:

"The null filehandle <> is special: [...] Input from <> comes either
from standard input, or from each file listed on the command line.
Here's how it works: the first time <> is evaluated, the @ARGV array
is checked, and if it is empty, $ARGV[0] is set to "-" , which when
opened gives you standard input.  The @ARGV array is then processed
as a list of filenames." - 'perldoc perlop'

Recent changes in the CLIHandler code changed how we modfiied @ARGV
Earlier we assumed that the first argument must be the command and
thus shifted it out of @ARGV, now we can have multiple levels of
(sub)commands. This change also changed how we handle @ARGV, we do
not unshift anything but go through the arguments until we got to
the final command and copy the rest of @ARGV as we know that this
must be the commandos arguments.

For '<>' this means that ARGV was still fully populated and perl
tried to open element as a file, which naturally failed.
Thus the change in pve-common only exposed this 'dangerous' code
pattern.

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
 PVE/API2/Qemu.pm | 2 +-
 PVE/CLI/qm.pm    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 0983ce6..b277a26 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -1849,7 +1849,7 @@ __PACKAGE__->register_method({
 	# read spice ticket from STDIN
 	my $spice_ticket;
 	if ($stateuri && ($stateuri eq 'tcp') && $migratedfrom && ($rpcenv->{type} eq 'cli')) {
-	    if (defined(my $line = <>)) {
+	    if (defined(my $line = <STDIN>)) {
 		chomp $line;
 		$spice_ticket = $line;
 	    }
diff --git a/PVE/CLI/qm.pm b/PVE/CLI/qm.pm
index 564e443..04beb48 100755
--- a/PVE/CLI/qm.pm
+++ b/PVE/CLI/qm.pm
@@ -286,7 +286,7 @@ __PACKAGE__->register_method ({
 	$tunnel_write->("tunnel online");
 	$tunnel_write->("ver 1");
 
-	while (my $line = <>) {
+	while (my $line = <STDIN>) {
 	    chomp $line;
 	    if ($line =~ /^quit$/) {
 		$tunnel_write->("OK");
-- 
2.14.2

More information about the pve-devel mailing list