Re: [Libguestfs] [PATCH 0/5] rbd improvements
On Thu, May 09, 2013 at 11:23:55AM -0400, Mike Kelly wrote:
On Wed, May 8, 2013 at 6:53 AM, Richard W.M. Jones
<rjones(a)redhat.com> wrote:
> One worry I have is whether quoting is required for the server
> name(s), export name, username and secret.
Well. I think the main things we had to quote were ':' and ';', but
none of those are valid in a hostname. Username also probably doesn't
contain anything special, and secret is a base64-encoded string. I
confirmed that even with the string ending in '==', it was parsed just
fine by qemu, at least in my limited manual testing.
If you can suggest a way to be more robust this, though, then I can
try to work that into a future patch series.
The quoting problem happens when someone writes a program which takes
(eg) a hostname string from the user and passes it unmodified to the
guestfs API. It's an issue if this string can cause unexpected [even
malicious/exploitable] things to happen when passed unquoted on the
qemu command line.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v