[Libosinfo] [PATCH] osinfo-install-script: read config values as strings
Christophe Fergeau
cfergeau at redhat.com
Thu Mar 20 14:56:04 UTC 2014
On Mon, Mar 17, 2014 at 05:00:16PM +0100, Giuseppe Scrivano wrote:
> Christophe Fergeau <cfergeau at redhat.com> writes:
>
> >> Solves this problem:
> >>
> >> $ osinfo-install-script rhel6.5 -c "admin-password=a&b"
> >> error : unterminated entity reference b
> >
> >
> > Shouldn't we be XML-escaping user-input instead (
> > xmlEncodeEntitiesReentrant() ) ?
>
> the same would happen, for example, if the password is generated
> randomly. If you try enough times the same command without the
> '-c "admin-password=a&b"' part, you will hit the same problem at some
> point. I think it is safer to fix it at this level.
My initial thought was to fix this when this string is set on the
OsinfoInstallScriptConfig object, but there is no special code handling this parameter
in osinfo-install-script nor in OsinfoInstallScriptConfig, just generic
code setting an entity param, so this patch is probably the only place
where we can solve this.
However, I'm not familiar enough with the implications of using
this 'raw' node API to feel comfortable ACKing this :-/
Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libosinfo/attachments/20140320/29f9993f/attachment.sig>
More information about the Libosinfo
mailing list