[libvirt] [PATCH v2 2/3] hyperv: Escape WQL queries
Ladi Prosek
lprosek at redhat.com
Tue Oct 17 07:32:48 UTC 2017
On Mon, Oct 16, 2017 at 3:58 PM, John Ferlan <jferlan at redhat.com> wrote:
>
>
> On 10/06/2017 02:47 AM, Ladi Prosek wrote:
>> The code was vulnerable to SQL injection. Likely not a security issue due to
>> WMI SQL and other constraints but still lame. For example:
>>
>> virsh # dominfo \"
>> error: failed to get domain '"'
>> error: internal error: SOAP fault during enumeration: code 's:Sender', subcode
>> 'n:CannotProcessFilter', reason 'The data source could not process the filter.
>> The filter might be missing or it might be invalid. Change the filter and try
>> the request again. ', detail 'The WS-Management service cannot process the
>> request. The WQL query is invalid. '
>>
>> This commit fixes the Hyper-V driver by escaping all WMI SQL string parameters.
>>
>> The same command with the fix:
>>
>> virsh # dominfo \"
>> error: failed to get domain '"'
>> error: Domain not found: No domain with name "
>>
>> Signed-off-by: Ladi Prosek <lprosek at redhat.com>
>> ---
>> src/hyperv/hyperv_driver.c | 96 +++++++++++++++++++++++-----------------------
>> src/hyperv/hyperv_wmi.c | 2 +-
>> src/util/virbuffer.c | 18 +++++++++
>> src/util/virbuffer.h | 3 ++
>> 4 files changed, 70 insertions(+), 49 deletions(-)
>>
>
> Surprised to a degree this worked correctly without adding
> 'virBufferEscapeSQL' to src/libvirt_private.syms
Interesting, I followed instructions at
https://libvirt.org/compiling.html#building and didn't see any
warnings or indication that something was amiss.
> In any case, I'll add before pushing...
Thank you!
More information about the libvir-list
mailing list