From: Dominik Csapak <d.csapak@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH storage v7 11/11] plugin: file_size_info: warn on parent images with unusual path
Date: Mon, 18 Nov 2024 16:29:14 +0100 [thread overview]
Message-ID: <20241118152928.858590-12-d.csapak@proxmox.com> (raw)
In-Reply-To: <20241118152928.858590-1-d.csapak@proxmox.com>
If the base image (parent) of an image contains e.g. whitespace in it's
path, the current untainting would not match and it would seem there was
no parent.
Since untrusted files are not allowed to have backing parts, just warn,
when encountering this case to keep backwards compatibility.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
changes from v6:
* only warn if we find invalid characters but keep behaviour, for
backwards compat for existing setups
src/PVE/Storage/Plugin.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/PVE/Storage/Plugin.pm b/src/PVE/Storage/Plugin.pm
index 8f1c7c8..2407eba 100644
--- a/src/PVE/Storage/Plugin.pm
+++ b/src/PVE/Storage/Plugin.pm
@@ -1031,6 +1031,7 @@ sub file_size_info {
($format) = ($format =~ /^(\S+)$/); # untaint
die "format '$format' includes whitespace\n" if !defined($format);
if (defined($parent)) {
+ warn "strange parent name path '$parent' found\n" if $parent =~ m/[^\S]/;
($parent) = ($parent =~ /^(\S+)$/); # untaint
}
return wantarray ? ($size, $format, $used, $parent, $st->ctime) : $size;
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-11-18 15:31 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-18 15:29 [pve-devel] [PATCH storage/qemu-server/manager v7] implement ova/ovf import for file based storages Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH storage v7 01/11] plugin: dir: implement import content type Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH storage v7 02/11] plugin: dir: handle ova files for import Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH storage v7 03/11] ovf: improve and simplify path checking code Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH storage v7 04/11] ovf: implement parsing the ostype Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH storage v7 05/11] ovf: implement parsing out firmware type Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH storage v7 06/11] ovf: implement rudimentary boot order Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH storage v7 07/11] ovf: implement parsing nics Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH storage v7 08/11] api: allow ova upload/download Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH storage v7 09/11] plugin: enable import for nfs/btrfs/cifs/cephfs/glusterfs Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH storage v7 10/11] add 'import' content type to 'check_volume_access' Dominik Csapak
2024-11-18 15:29 ` Dominik Csapak [this message]
2024-11-18 15:29 ` [pve-devel] [PATCH qemu-server v7 1/5] disk import: add additional safeguards for imported image files Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH qemu-server v7 2/5] use OVF from Storage Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH qemu-server v7 3/5] api: create: implement extracting disks when needed for import-from Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH qemu-server v7 4/5] api: create: add 'import-working-storage' parameter Dominik Csapak
2024-11-18 17:24 ` Aaron Lauterer
2024-11-18 17:39 ` Aaron Lauterer
2024-11-18 17:44 ` Thomas Lamprecht
2024-11-18 20:22 ` Thomas Lamprecht
2024-11-19 11:36 ` Aaron Lauterer
2024-11-18 15:29 ` [pve-devel] [PATCH qemu-server v7 5/5] api: check untrusted image files for import content type Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH manager v7 1/9] ui: guest import: add ova-needs-extracting warning text Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH manager v7 2/9] ui: enable import content type for relevant storages Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH manager v7 3/9] ui: enable upload/download/remove buttons for 'import' type storages Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH manager v7 4/9] ui: disable 'import' button for non importable formats Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH manager v7 5/9] ui: import: improve rendering of volume names Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH manager v7 6/9] ui: guest import: add storage selector for ova extraction storage Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH manager v7 7/9] ui: guest import: change icon/text for non-esxi import storage Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH manager v7 8/9] ui: import: show size for dir-based storages Dominik Csapak
2024-11-18 15:29 ` [pve-devel] [PATCH manager v7 9/9] ui: import: adapt live import help text to ova Dominik Csapak
2024-11-18 17:14 ` [pve-devel] [PATCH storage/qemu-server/manager v7] implement ova/ovf import for file based storages Aaron Lauterer
2024-11-18 17:14 ` Filip Schauer
2024-11-18 17:35 ` Aaron Lauterer
2024-11-18 17:46 ` Thomas Lamprecht
2024-11-18 17:44 ` Filip Schauer
2024-11-18 17:49 ` Thomas Lamprecht
2024-11-18 17:53 ` Thomas Lamprecht
2024-11-18 18:03 ` Thomas Lamprecht
2024-11-18 18:03 ` Filip Schauer
2024-11-18 18:11 ` Thomas Lamprecht
2024-11-18 18:19 ` Thomas Lamprecht
2024-11-18 20:02 ` Thomas Lamprecht
2024-11-18 21:15 ` [pve-devel] applied-series: " Thomas Lamprecht
2024-11-19 7:43 ` Dominik Csapak
2024-11-19 8:43 ` Dominik Csapak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241118152928.858590-12-d.csapak@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox