[Libguestfs] [PATCH 0/5] rbd improvements
Richard W.M. Jones
rjones at redhat.com
Thu May 9 16:21:02 UTC 2013
On Thu, May 09, 2013 at 11:23:55AM -0400, Mike Kelly wrote:
> On Wed, May 8, 2013 at 6:53 AM, Richard W.M. Jones <rjones at redhat.com> wrote:
> > One worry I have is whether quoting is required for the server
> > name(s), export name, username and secret.
>
> Well. I think the main things we had to quote were ':' and ';', but
> none of those are valid in a hostname. Username also probably doesn't
> contain anything special, and secret is a base64-encoded string. I
> confirmed that even with the string ending in '==', it was parsed just
> fine by qemu, at least in my limited manual testing.
>
> If you can suggest a way to be more robust this, though, then I can
> try to work that into a future patch series.
The quoting problem happens when someone writes a program which takes
(eg) a hostname string from the user and passes it unmodified to the
guestfs API. It's an issue if this string can cause unexpected [even
malicious/exploitable] things to happen when passed unquoted on the
qemu command line.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
More information about the Libguestfs
mailing list