[pve-devel] applied: [PATCH v3 qemu-server] remote migration: fix online migration via API clients

Thomas Lamprecht t.lamprecht at proxmox.com
Fri Sep 6 19:03:25 CEST 2024


Am 04/09/2024 um 13:12 schrieb Fiona Ebner:
> As reported in the community forum [0], when a remote migration
> request comes in via an API client, the -T flag for Perl is set, so an
> insecure dependency in a call like unlink() in forward_unix_socket()
> will fail with:
> 
>> failed to write forwarding command - Insecure dependency in unlink while running with -T switch
> 
> To fix it, untaint the problematic socket addresses coming from the
> remote side. Require that all sockets are below '/run/qemu-server/'
> and end with '.migrate' with the main socket being matched more
> strictly. This allows extensions in the future while still being quite
> strict.
> 
> [0]: https://forum.proxmox.com/threads/123048/post-691958
> 
> Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
> ---
> 
> Changes in v3:
> * Match main socket address more strictly as suggested by Fabian.
> 
>  PVE/QemuMigrate.pm | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
>

applied, thanks!




More information about the pve-devel mailing list