[pve-devel] [PATCH common] run_command: untaint end of buffer
Stoiko Ivanov
s.ivanov at proxmox.com
Tue Jun 22 18:52:04 CEST 2021
On Tue, 22 Jun 2021 17:15:08 +0200
Thomas Lamprecht <t.lamprecht at proxmox.com> wrote:
> On 22.06.21 17:10, Stoiko Ivanov wrote:
> > I had a patch for untainting the individual values in
> > PVE::Storage::Plugin::volume_size_info but then went with this patch,
>
> I'd rather have that patch, especially for back-porting to stable.
Makes sense - sent the patch for pve-storage
> I mean, else we can probably just turn of the taint mode completely, what's the
> point then.
I'm always a bit (too) cautious when it comes to turning of 'security'
related 'features' (even if mostly doubting that taint-mode fits either of
those 2 categories) - so not sure about disabling it in general
the taint of the some of the run_command output on the other hand was
introduced as a side-effect with the changes last year afaict, and has
caused at least 2 glitches since then...
>
> > since I expect the issue of output not ending in newline or being longer
> > than 4k to linger in a few places in our code.
> >
> > For the volume_size_info calls of our storage plugins - a quick check says
> > only PBSPlugin.pm and Plugin.pm could cause this issue
>
> can we patch it there then too?
More information about the pve-devel
mailing list