[pve-devel] [PATCH storage v4 1/1] import: allow upload of guest images files into import storage

Wed Mar 26 16:26:05 CET 2025

so users can upload qcow2/raw/vmdk files directly in the ui

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
changes from v3:
* also allow vmdk and raw

 src/PVE/API2/Storage/Status.pm | 17 ++++++++++++++++-
 src/PVE/Storage.pm             |  3 ++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/Storage/Status.pm b/src/PVE/API2/Storage/Status.pm
index c854b53..b23d283 100644
--- a/src/PVE/API2/Storage/Status.pm
+++ b/src/PVE/API2/Storage/Status.pm
@@ -456,6 +456,7 @@ __PACKAGE__->register_method ({
 
 	my $path;
 	my $isOva = 0;
+	my $imageFormat;
 
 	if ($content eq 'iso') {
 	    if ($filename !~ m![^/]+$PVE::Storage::ISO_EXT_RE_0$!) {
@@ -472,7 +473,12 @@ __PACKAGE__->register_method ({
 		raise_param_exc({ filename => "invalid filename or wrong extension" });
 	    }
 
-	    $isOva = 1;
+	    if ($filename =~ m/\.ova$/) {
+		$isOva = 1;
+	    } elsif ($filename =~ m/${PVE::Storage::UPLOAD_IMPORT_IMAGE_EXT_RE_1}$/) {
+		$imageFormat = $1;
+	    }
+
 	    $path = PVE::Storage::get_import_dir($cfg, $storage);
 	} else {
 	    raise_param_exc({ content => "upload content type '$content' not allowed" });
@@ -543,6 +549,9 @@ __PACKAGE__->register_method ({
 
 		if ($isOva) {
 		    assert_ova_contents($tmpfilename);
+		} elsif (defined($imageFormat)) {
+		    # checks untrusted image
+		    PVE::Storage::file_size_info($tmpfilename, 10, $imageFormat, 1);
 		}
 	    };
 	    if (my $err = $@) {
@@ -667,6 +676,7 @@ __PACKAGE__->register_method({
 
 	my $path;
 	my $isOva = 0;
+	my $imageFormat;
 
 	if ($content eq 'iso') {
 	    if ($filename !~ m![^/]+$PVE::Storage::ISO_EXT_RE_0$!) {
@@ -685,6 +695,8 @@ __PACKAGE__->register_method({
 
 	    if ($filename =~ m/\.ova$/) {
 		$isOva = 1;
+	    } elsif ($filename =~ m/${PVE::Storage::UPLOAD_IMPORT_IMAGE_EXT_RE_1}$/) {
+		$imageFormat = $1;
 	    }
 
 	    $path = PVE::Storage::get_import_dir($cfg, $storage);
@@ -717,6 +729,9 @@ __PACKAGE__->register_method({
 
 	    if ($isOva) {
 		assert_ova_contents($tmp_path);
+	    } elsif (defined($imageFormat)) {
+		# checks untrusted image
+		PVE::Storage::file_size_info($tmp_path, 10, $imageFormat, 1);
 	    }
 	};
 
diff --git a/src/PVE/Storage.pm b/src/PVE/Storage.pm
index c5d4ff8..09d9883 100755
--- a/src/PVE/Storage.pm
+++ b/src/PVE/Storage.pm
@@ -116,7 +116,8 @@ our $BACKUP_EXT_RE_2 = qr/\.(tgz|(?:tar|vma)(?:\.(${\PVE::Storage::Plugin::COMPR
 
 our $IMPORT_EXT_RE_1 = qr/\.(ova|ovf|qcow2|raw|vmdk)/;
 
-our $UPLOAD_IMPORT_EXT_RE_1 = qr/\.(ova)/;
+our $UPLOAD_IMPORT_EXT_RE_1 = qr/\.(ova|qcow2|raw|vmdk)/;
+our $UPLOAD_IMPORT_IMAGE_EXT_RE_1 = qr/\.(qcow2|raw|vmdk)/;
 
 our $SAFE_CHAR_CLASS_RE = qr/[a-zA-Z0-9\-\.\+\=\_]/;
 our $SAFE_CHAR_WITH_WHITESPACE_CLASS_RE = qr/[ a-zA-Z0-9\-\.\+\=\_]/;
-- 
2.39.5



