check_ssh_injection not handling quoted args correctly

Bug #1244415 reported by Matthew Edmonds on 2013-10-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
High
Luis A. Garcia
Havana
High
Jay Bryant

Bug Description

check_ssh_injection in cinder/utils.py is disallowing args with spaces even when the arg is quoted. This leads to an SSHInjectionThreat being raised when a volume driver needs to send a quoted arg containing spaces, e.g. when a storage pool name contains a space.

Changed in cinder:
status: New → Confirmed
tags: added: havana-backport-potential
Changed in cinder:
importance: Undecided → High
Luis A. Garcia (luisg-8) on 2013-10-29
Changed in cinder:
assignee: nobody → Luis A. Garcia (luisg-8)
Changed in cinder:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/54405
Committed: http://github.com/openstack/cinder/commit/2737c76cb2fb436f117a4f635aebca7a01691d88
Submitter: Jenkins
Branch: master

commit 2737c76cb2fb436f117a4f635aebca7a01691d88
Author: Luis A. Garcia <email address hidden>
Date: Tue Oct 29 18:44:12 2013 +0000

    Allow spaces in quoted SSH command arguments

    The check_ssh_injection() method was rejecting arguments with spaces
    even when they were quoted, this was causing problems with some volume
    driver commands such as commands for a storage pool with spaces in the
    name.

    Closes-Bug: #1244415
    Change-Id: Ie4b809e1b39fdb752cf634e6d3c0a3924d8ac52b

Changed in cinder:
status: In Progress → Fix Committed
Alan Pevec (apevec) on 2013-11-13
tags: removed: havana-backport-potential

Reviewed: https://review.openstack.org/54762
Committed: http://github.com/openstack/cinder/commit/ff6d79005f517bb58f9f28a8187aa26fa1dbd64d
Submitter: Jenkins
Branch: stable/havana

commit ff6d79005f517bb58f9f28a8187aa26fa1dbd64d
Author: Luis A. Garcia <email address hidden>
Date: Tue Oct 29 18:44:12 2013 +0000

    Allow spaces in quoted SSH command arguments

    The check_ssh_injection() method was rejecting arguments with spaces
    even when they were quoted, this was causing problems with some volume
    driver commands such as commands for a storage pool with spaces in the
    name.

    Note that this backport also fixes a typo that has been fixed separately
    in master with commit eb0f2e4dd538a79184efbb23d7e404147dfe877b .

    Closes-Bug: #1244415
    Change-Id: Ie4b809e1b39fdb752cf634e6d3c0a3924d8ac52b
    (cherry picked from commit 2737c76cb2fb436f117a4f635aebca7a01691d88)

Thierry Carrez (ttx) on 2013-12-04
Changed in cinder:
milestone: none → icehouse-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-04-17
Changed in cinder:
milestone: icehouse-1 → 2014.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers