Comment 7 for bug 1270204

Zoltan Arnold Nagy (zoltan) wrote :


Your confusion comes from the misleading variable name I think in the driver. It's not a valid, RFC defined hostname. It's a server name that references a fiber channel ID in the driver (so you can map volumes to hosts). Now, this server name can be arbitrarily defined by the user.

If you were to set the hostname to "some host; rm -rf /", that would be indeed caught even after the patches by the SSH injection check (and I'm sure it the storwize system wouldn't allow that in the first place, so we wouldn't even get this far). The only character that the injection check allows is a space, and it only allows that if it's within quotes.

So even if you somehow managed to set that hostname through the storwize CLI/GUI (or FSM CLI/GUI), which is doubtful, it won't be sent to the storage.

(And even if it were sent to the storage, the other size of it's SSH connection is an rbash, where you cannot misbehave or do anything distruptive at all.)