[pve-devel] [PATCH pve-storage] Fix #1925: untaint rbd JSON output
Stoiko Ivanov
s.ivanov at proxmox.com
Wed Sep 19 09:53:24 CEST 2018
I gave it a quick spin, LGTM, comment inline:
On Wed, Sep 19, 2018 at 08:21:55AM +0200, Thomas Lamprecht wrote:
> On 9/19/18 6:43 AM, Dietmar Maurer wrote:
> > Signed-off-by: Dietmar Maurer <dietmar at proxmox.com>
> > ---
> > PVE/Storage/RBDPlugin.pm | 22 +++++++++++++++++++---
> > 1 file changed, 19 insertions(+), 3 deletions(-)
> >
> > diff --git a/PVE/Storage/RBDPlugin.pm b/PVE/Storage/RBDPlugin.pm
> > index ee373d6..0acfb2d 100644
> > --- a/PVE/Storage/RBDPlugin.pm
> > +++ b/PVE/Storage/RBDPlugin.pm
> > @@ -166,7 +166,14 @@ sub rbd_ls {
> >
> > die $err if $err && $err !~ m/doesn't contain rbd images/ ;
> >
> > - my $result = $raw ne '' ? JSON::decode_json($raw) : [];
> > + my $result;
> > + if ($raw eq '') {
> > + $result = [];
> > + } elsif ($raw =~ m/^(\[.*\])$/s) { # untaint
> > + $result = JSON::decode_json($1);
> > + } else {
> > + die "got unexpected data from rbd ls: '$raw'\n";
> > + }
> >
> > my $list = {};
> >
> > @@ -206,7 +213,14 @@ sub rbd_volume_info {
> >
> > run_rbd_command($cmd, errmsg => "rbd error", errfunc => sub {}, outfunc => $parser);
> >
> > - my $volume = $raw ne '' ? JSON::decode_json($raw) : {};
> > + my $volume;
> > + if ($raw eq '') {
> > + $volume = {};
> > + } elsif ($raw =~ m/^(\{.*\})$/s) { # untaint
> > + $volume = JSON::decode_json($1);
> > + } else {
> > + die "got unexpected data from rbd info: '$raw'\n";
> > + }
> >
> > $volume->{parent} = $get_parent_image_name->($volume->{parent});
> > $volume->{protected} = defined($volume->{protected}) && $volume->{protected} eq "true" ? 1 : undef;
> > @@ -325,7 +339,9 @@ my $find_free_diskname = sub {
> >
> > my $parser = sub {
> > my $line = shift;
> > - push @$disk_list, $line;
> > + if ($line = m/^(.*)$/) { # untaint
tiny glitch (match operator):
if ($line =~ m/^(.*)$/) { # untaint
> > + push @$disk_list, $1;
> > + }
> > };
> >
> > eval {
> >
>
> Reviewed-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
Tested-by: Stoiko Ivanov <s.ivanov at proxmox.com>
Reviewed-by: Stoiko Ivanov <s.ivanov at proxmox.com>
>
> If there are no objections I'd apply and push this out.
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list