[pve-devel] [RFC/PATCH storage] Fix #1925: untaint rbd JSON output

Stoiko Ivanov s.ivanov at proxmox.com
Tue Sep 18 18:13:45 CEST 2018


Untainting without any sanitization, since the JSON::decode_json call below
should sanitize the output.

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
Not quite sure whether this approach is not too liberal.
It does fix the bug reported, thus I'm sending it as an RFC.


 PVE/Storage/RBDPlugin.pm | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/PVE/Storage/RBDPlugin.pm b/PVE/Storage/RBDPlugin.pm
index ee373d6..10cbde2 100644
--- a/PVE/Storage/RBDPlugin.pm
+++ b/PVE/Storage/RBDPlugin.pm
@@ -157,7 +157,13 @@ sub rbd_ls {
     my $pool =  $scfg->{pool} ? $scfg->{pool} : 'rbd';
 
     my $raw = '';
-    my $parser = sub { $raw .= shift };
+    my $parser = sub {
+	#untainting here because JSON::decode_json, does the sanitization
+	my $line = shift;
+	if ($line =~ m/^(.*)$/) {
+	    $raw .= "$1";
+	}
+    };
 
     eval {
 	run_rbd_command($cmd, errmsg => "rbd error", errfunc => sub {}, outfunc => $parser);
@@ -202,7 +208,13 @@ sub rbd_volume_info {
     $cmd = &$rbd_cmd($scfg, $storeid, @options);
 
     my $raw = '';
-    my $parser = sub { $raw .= shift };
+    my $parser = sub {
+	#untainting here because JSON::decode_json, does the sanitization
+	my $line = shift;
+	if ($line =~ m/^(.*)$/) {
+	    $raw .= "$1";
+	}
+    };
 
     run_rbd_command($cmd, errmsg => "rbd error", errfunc => sub {}, outfunc => $parser);
 
-- 
2.11.0





More information about the pve-devel mailing list