Cinder

check_ssh_injection not handling quoted args correctly

Bug #1244415 reported by Matthew Edmonds
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
High
Luis A. Garcia
Cinder 2014.1 "icehouse"
Havana
Fix Released
High
Jay Bryant
Cinder 2013.2.1

Bug Description

check_ssh_injection in cinder/utils.py is disallowing args with spaces even when the arg is quoted. This leads to an SSHInjectionThreat being raised when a volume driver needs to send a quoted arg containing spaces, e.g. when a storage pool name contains a space.

Avishay Traeger (avishay-il)
Changed in cinder:
status: New → Confirmed
Avishay Traeger (avishay-il)
tags: added: havana-backport-potential
Changed in cinder:
importance: Undecided → High
Luis A. Garcia (luisg-8)
Changed in cinder:
assignee: nobody → Luis A. Garcia (luisg-8)
OpenStack Infra (hudson-openstack)
Changed in cinder:
status: Confirmed → In Progress
Revision history for this message
Luis A. Garcia (luisg-8) wrote :

https://review.openstack.org/#/c/54405/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/54405
Committed: http://github.com/openstack/cinder/commit/2737c76cb2fb436f117a4f635aebca7a01691d88
Submitter: Jenkins
Branch: master

commit 2737c76cb2fb436f117a4f635aebca7a01691d88
Author: Luis A. Garcia <email address hidden>
Date: Tue Oct 29 18:44:12 2013 +0000

    Allow spaces in quoted SSH command arguments

    The check_ssh_injection() method was rejecting arguments with spaces
    even when they were quoted, this was causing problems with some volume
    driver commands such as commands for a storage pool with spaces in the
    name.

    Closes-Bug: #1244415
    Change-Id: Ie4b809e1b39fdb752cf634e6d3c0a3924d8ac52b

Changed in cinder:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/54762

Alan Pevec (apevec)
tags: removed: havana-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/havana)

Reviewed: https://review.openstack.org/54762
Committed: http://github.com/openstack/cinder/commit/ff6d79005f517bb58f9f28a8187aa26fa1dbd64d
Submitter: Jenkins
Branch: stable/havana

commit ff6d79005f517bb58f9f28a8187aa26fa1dbd64d
Author: Luis A. Garcia <email address hidden>
Date: Tue Oct 29 18:44:12 2013 +0000

    Allow spaces in quoted SSH command arguments

    The check_ssh_injection() method was rejecting arguments with spaces
    even when they were quoted, this was causing problems with some volume
    driver commands such as commands for a storage pool with spaces in the
    name.

    Note that this backport also fixes a typo that has been fixed separately
    in master with commit eb0f2e4dd538a79184efbb23d7e404147dfe877b .

    Closes-Bug: #1244415
    Change-Id: Ie4b809e1b39fdb752cf634e6d3c0a3924d8ac52b
    (cherry picked from commit 2737c76cb2fb436f117a4f635aebca7a01691d88)

Thierry Carrez (ttx)
Changed in cinder:
milestone: none → icehouse-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in cinder:
milestone: icehouse-1 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.