commit 847952927c60ed0577bc835adf607ed7b8f15240
Author: Neil Jerram <email address hidden>
Date: Fri Dec 16 17:49:59 2016 +0000
libvirt: avoid generating script with empty path
Previously, libvirt just appended 'script=' onto the QEMU cmd line
according to what <script path=''/> contained, letting QEMU execute the
script. That was flawed from security POV (you don't want QEMU to be
allowed to execute anything), so newer libvirt (as of [1]) executes the
script now. But the libvirt code doesn't allow this corner case (of
allowing and ignoring an empty script path) whereas apparently the QEMU
code does.
So the Nova setting of '' used to work by accident, but now does not.
Reviewed: https:/ /review. openstack. org/411936 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=847952927c6 0ed0577bc835adf 607ed7b8f15240
Committed: https:/
Submitter: Jenkins
Branch: master
commit 847952927c60ed0 577bc835adf607e d7b8f15240
Author: Neil Jerram <email address hidden>
Date: Fri Dec 16 17:49:59 2016 +0000
libvirt: avoid generating script with empty path
Previously, libvirt just appended 'script=' onto the QEMU cmd line
according to what <script path=''/> contained, letting QEMU execute the
script. That was flawed from security POV (you don't want QEMU to be
allowed to execute anything), so newer libvirt (as of [1]) executes the
script now. But the libvirt code doesn't allow this corner case (of
allowing and ignoring an empty script path) whereas apparently the QEMU
code does.
So the Nova setting of '' used to work by accident, but now does not.
[1] libvirt. org/git/ ?p=libvirt. git;a=commitdif f;h=9c17d66 (autocreate
http://
tap device for ethernet network type)
Closes-Bug: #1649527 0af22a5150dd276 96e1d767896
Change-Id: I4f97c05e2dec61