[pve-devel] applied: [PATCH v3 qemu-server] remote migration: fix online migration via API clients
Thomas Lamprecht
t.lamprecht at proxmox.com
Fri Sep 6 19:03:25 CEST 2024
Am 04/09/2024 um 13:12 schrieb Fiona Ebner:
> As reported in the community forum [0], when a remote migration
> request comes in via an API client, the -T flag for Perl is set, so an
> insecure dependency in a call like unlink() in forward_unix_socket()
> will fail with:
>
>> failed to write forwarding command - Insecure dependency in unlink while running with -T switch
>
> To fix it, untaint the problematic socket addresses coming from the
> remote side. Require that all sockets are below '/run/qemu-server/'
> and end with '.migrate' with the main socket being matched more
> strictly. This allows extensions in the future while still being quite
> strict.
>
> [0]: https://forum.proxmox.com/threads/123048/post-691958
>
> Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
> ---
>
> Changes in v3:
> * Match main socket address more strictly as suggested by Fabian.
>
> PVE/QemuMigrate.pm | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
>
applied, thanks!
More information about the pve-devel
mailing list