[libvirt] [PATCH] esx: do not store escaped password in esxVI_Context.
Matthias Bolte
matthias.bolte at googlemail.com
Thu May 26 06:49:52 UTC 2016
2016-05-23 23:32 GMT+02:00 Dawid Zamirski <dzamirski at datto.com>:
> This patch fixes an issue where screenshot API call was failing when
> the esx/vcenter password contains special characters such as
> apostrophee. The reason for failures was that passwords were escaped
> for XML and stored in esxVI_Context which was then passed to raw CURL API
> calls where the password must be passed in original form to
> authenticate successfully. So this patch addresses this by storing
> original passwords in the esxVI_Context struct and escape only for
> esxVI_Login call.
> diff --git a/src/esx/esx_vi.c b/src/esx/esx_vi.c
> index bf6f228..872cb7d 100644
> --- a/src/esx/esx_vi.c
> +++ b/src/esx/esx_vi.c
> @@ -996,6 +996,8 @@ esxVI_Context_Connect(esxVI_Context *ctx, const char *url,
> const char *ipAddress, const char *username,
> const char *password, esxUtil_ParsedUri *parsedUri)
> {
> + char *escapedPassword = NULL;
> +
> if (!ctx || !url || !ipAddress || !username ||
> !password || ctx->url || ctx->service || ctx->curl) {
> virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Invalid argument"));
> @@ -1107,7 +1109,16 @@ esxVI_Context_Connect(esxVI_Context *ctx, const char *url,
> if (ctx->productLine == esxVI_ProductLine_VPX)
> ctx->hasSessionIsActive = true;
>
> - if (esxVI_Login(ctx, username, password, NULL, &ctx->session) < 0 ||
> + escapedPassword = esxUtil_EscapeForXml(password);
> +
> + if (!escapedPassword) {
> + VIR_FREE(escapedPassword);
No need to free it here, because it was never allocated in this path.
> + virReportError(VIR_ERR_INTERNAL_ERROR,
> + _("Failed to escape password for XML"));
> + return -1;
> + }
> +
> + if (esxVI_Login(ctx, username, escapedPassword, NULL, &ctx->session) < 0 ||
> esxVI_BuildSelectSetCollection(ctx) < 0) {
But you need to free it here
> return -1;
> }
and here, otherwise you'll leak memory.
And as Michal already mentioned, you missed the login call in
esxVI_EnsureSession.
--
Matthias Bolte
http://photron.blogspot.com
More information about the libvir-list
mailing list