[pve-devel] [PATCH qemu-server v6 6/6] api: check untrusted image files for import content type

[Dominik Csapak]

check to be imported files for external references if they are of
content type 'import'.

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
new in v6

 PVE/API2/Qemu.pm | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 58aaabbe..cbbd1e36 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -440,6 +440,7 @@ my sub create_disks : prototype($$$$$$$$$$$) {
 		    my ($vtype, undef, undef, undef, undef, undef, $fmt)
 			= PVE::Storage::parse_volname($storecfg, $source);
 		    my $needs_extraction = PVE::QemuServer::Helpers::needs_extraction($vtype, $fmt);
+		    my $untrusted = $vtype eq 'import' ? 1 : 0;
 		    if ($needs_extraction) {
 			print "extracting $source\n";
 			my $extracted_volid = PVE::GuestImport::extract_disk_from_import_file(
@@ -458,7 +459,8 @@ my sub create_disks : prototype($$$$$$$$$$$) {
 			my $path = PVE::Storage::path($storecfg, $source)
 			    or die "failed to get a path for '$source'\n";
 			$source = $path;
-			($size, my $source_format) = PVE::Storage::file_size_info($source);
+			# check potentially untrusted image file for import vtype
+			($size, my $source_format) = PVE::Storage::file_size_info($source, undef, $untrusted);
 
 			die "could not get file size of $source\n" if !$size;
 			$live_import_mapping->{$ds} = {
@@ -468,6 +470,13 @@ my sub create_disks : prototype($$$$$$$$$$$) {
 			$live_import_mapping->{$ds}->{'delete-after-finish'} = $source
 			    if $needs_extraction;
 		    } else {
+			# check potentially untrusted image file for import vtype
+			if ($untrusted) {
+			    my $scfg = PVE::Storage::storage_config($storecfg, $source_storage);
+			    my $path = PVE::Storage::path($storecfg, $source);
+			    PVE::Storage::file_size_info($path, undef, 1);
+			}
+
 			my $dest_info = {
 			    vmid => $vmid,
 			    drivename => $ds,
-- 
2.39.5