* [pve-devel] [PATCH storage] plugin: lvm: volume snapshot info: untaint snapshot filename
@ 2025-07-31 7:13 Friedrich Weber
2025-07-31 7:20 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Friedrich Weber @ 2025-07-31 7:13 UTC (permalink / raw)
To: pve-devel
Without untainting, offline-deleting a volume-chain snapshot on an LVM
storage via the GUI can fail with an "Insecure dependecy in exec
[...]" error, because volume_snapshot_delete uses the filename its
qemu-img invocation.
Commit 93f0dfb ("plugin: volume snapshot info: untaint snapshot
filename") fixed this already for the volume_snapshot_info
implementation of the Plugin base class, but missed that the LVM
plugin overrides the method and was still missing the untaint.
Signed-off-by: Friedrich Weber <f.weber@proxmox.com>
---
src/PVE/Storage/LVMPlugin.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/PVE/Storage/LVMPlugin.pm b/src/PVE/Storage/LVMPlugin.pm
index e3fe9ff..0416c9e 100644
--- a/src/PVE/Storage/LVMPlugin.pm
+++ b/src/PVE/Storage/LVMPlugin.pm
@@ -831,6 +831,7 @@ sub volume_snapshot_info {
my $snapshots = $json_decode;
for my $snap (@$snapshots) {
my $snapfile = $snap->{filename};
+ ($snapfile) = $snapfile =~ m|^(/.*)|; # untaint
my $snapname = $get_snapname_from_path->($snapfile);
#not a proxmox snapshot
next if !$snapname;
--
2.47.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread* [pve-devel] applied: [PATCH storage] plugin: lvm: volume snapshot info: untaint snapshot filename
2025-07-31 7:13 [pve-devel] [PATCH storage] plugin: lvm: volume snapshot info: untaint snapshot filename Friedrich Weber
@ 2025-07-31 7:20 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2025-07-31 7:20 UTC (permalink / raw)
To: pve-devel, Friedrich Weber
On Thu, 31 Jul 2025 09:13:02 +0200, Friedrich Weber wrote:
> Without untainting, offline-deleting a volume-chain snapshot on an LVM
> storage via the GUI can fail with an "Insecure dependecy in exec
> [...]" error, because volume_snapshot_delete uses the filename its
> qemu-img invocation.
>
> Commit 93f0dfb ("plugin: volume snapshot info: untaint snapshot
> filename") fixed this already for the volume_snapshot_info
> implementation of the Plugin base class, but missed that the LVM
> plugin overrides the method and was still missing the untaint.
>
> [...]
Applied, thanks!
[1/1] plugin: lvm: volume snapshot info: untaint snapshot filename
commit: 92efe5c6cb9904ebf7bbb7f8d690ac80e7c91e23
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-07-31 7:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-07-31 7:13 [pve-devel] [PATCH storage] plugin: lvm: volume snapshot info: untaint snapshot filename Friedrich Weber
2025-07-31 7:20 ` [pve-devel] applied: " Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.