[libvirt] [PATCH] esx: do not store escaped password in esxVI_Context.
Dawid Zamirski
dzamirski at datto.com
Wed May 25 17:17:36 UTC 2016
Hi Michal,
Thanks for reviewing. I'll send v2 soon to handle EnsureSession as
well.
Regards,
Dawid
On Wed, 2016-05-25 at 14:33 +0200, Michal Privoznik wrote:
> On 23.05.2016 23:32, Dawid Zamirski wrote:
> > This patch fixes an issue where screenshot API call was failing
> > when
> > the esx/vcenter password contains special characters such as
> > apostrophee. The reason for failures was that passwords were
> > escaped
> > for XML and stored in esxVI_Context which was then passed to raw
> > CURL API
> > calls where the password must be passed in original form to
> > authenticate successfully. So this patch addresses this by storing
> > original passwords in the esxVI_Context struct and escape only for
> > esxVI_Login call.
> > ---
> > src/esx/esx_driver.c | 22 ++++------------------
> > src/esx/esx_vi.c | 13 ++++++++++++-
> > 2 files changed, 16 insertions(+), 19 deletions(-)
> >
> > diff --git a/src/esx/esx_driver.c b/src/esx/esx_driver.c
> > index 00d0e0a..031c666 100644
> > --- a/src/esx/esx_driver.c
> > +++ b/src/esx/esx_driver.c
> > @@ -617,7 +617,6 @@ esxConnectToHost(esxPrivate *priv,
> > int result = -1;
> > char ipAddress[NI_MAXHOST] = "";
> > char *username = NULL;
> > - char *unescapedPassword = NULL;
> > char *password = NULL;
> > char *url = NULL;
> > esxVI_String *propertyNameList = NULL;
> > @@ -647,18 +646,13 @@ esxConnectToHost(esxPrivate *priv,
> > }
> > }
> >
> > - unescapedPassword = virAuthGetPassword(conn, auth, "esx",
> > username, conn->uri->server);
> > + password = virAuthGetPassword(conn, auth, "esx", username,
> > conn->uri->server);
> >
> > - if (!unescapedPassword) {
> > + if (!password) {
> > virReportError(VIR_ERR_AUTH_FAILED, "%s", _("Password
> > request failed"));
> > goto cleanup;
> > }
> >
> > - password = esxUtil_EscapeForXml(unescapedPassword);
> > -
> > - if (!password)
> > - goto cleanup;
> > -
> > if (virAsprintf(&url, "%s://%s:%d/sdk", priv->parsedUri-
> > >transport,
> > conn->uri->server, conn->uri->port) < 0)
> > goto cleanup;
> > @@ -705,7 +699,6 @@ esxConnectToHost(esxPrivate *priv,
> >
> > cleanup:
> > VIR_FREE(username);
> > - VIR_FREE(unescapedPassword);
> > VIR_FREE(password);
> > VIR_FREE(url);
> > esxVI_String_Free(&propertyNameList);
> > @@ -726,7 +719,6 @@ esxConnectToVCenter(esxPrivate *priv,
> > int result = -1;
> > char ipAddress[NI_MAXHOST] = "";
> > char *username = NULL;
> > - char *unescapedPassword = NULL;
> > char *password = NULL;
> > char *url = NULL;
> >
> > @@ -752,18 +744,13 @@ esxConnectToVCenter(esxPrivate *priv,
> > }
> > }
> >
> > - unescapedPassword = virAuthGetPassword(conn, auth, "esx",
> > username, hostname);
> > + password = virAuthGetPassword(conn, auth, "esx", username,
> > hostname);
> >
> > - if (!unescapedPassword) {
> > + if (!password) {
> > virReportError(VIR_ERR_AUTH_FAILED, "%s", _("Password
> > request failed"));
> > goto cleanup;
> > }
> >
> > - password = esxUtil_EscapeForXml(unescapedPassword);
> > -
> > - if (!password)
> > - goto cleanup;
> > -
> > if (virAsprintf(&url, "%s://%s:%d/sdk", priv->parsedUri-
> > >transport,
> > hostname, conn->uri->port) < 0)
> > goto cleanup;
> > @@ -799,7 +786,6 @@ esxConnectToVCenter(esxPrivate *priv,
> >
> > cleanup:
> > VIR_FREE(username);
> > - VIR_FREE(unescapedPassword);
> > VIR_FREE(password);
> > VIR_FREE(url);
> >
> > diff --git a/src/esx/esx_vi.c b/src/esx/esx_vi.c
> > index bf6f228..872cb7d 100644
> > --- a/src/esx/esx_vi.c
> > +++ b/src/esx/esx_vi.c
> > @@ -996,6 +996,8 @@ esxVI_Context_Connect(esxVI_Context *ctx, const
> > char *url,
> > const char *ipAddress, const char *username,
> > const char *password, esxUtil_ParsedUri
> > *parsedUri)
> > {
> > + char *escapedPassword = NULL;
> > +
> > if (!ctx || !url || !ipAddress || !username ||
> > !password || ctx->url || ctx->service || ctx->curl) {
> > virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Invalid
> > argument"));
> > @@ -1107,7 +1109,16 @@ esxVI_Context_Connect(esxVI_Context *ctx,
> > const char *url,
> > if (ctx->productLine == esxVI_ProductLine_VPX)
> > ctx->hasSessionIsActive = true;
> >
> > - if (esxVI_Login(ctx, username, password, NULL, &ctx->session)
> > < 0 ||
> > + escapedPassword = esxUtil_EscapeForXml(password);
> > +
> > + if (!escapedPassword) {
> > + VIR_FREE(escapedPassword);
> > + virReportError(VIR_ERR_INTERNAL_ERROR,
> > + _("Failed to escape password for XML"));
> > + return -1;
> > + }
> > +
> > + if (esxVI_Login(ctx, username, escapedPassword, NULL, &ctx-
> > >session) < 0 ||
> > esxVI_BuildSelectSetCollection(ctx) < 0) {
> > return -1;
> > }
> >
>
> Looks reasonable, although you forgot about esxVI_EnsureSession(). I
> guess it needs some fixing too.
>
> Michal
More information about the libvir-list
mailing list