xenstore.py xapi plugin uses potentially insecure shell=True
Bug #746731 reported by
Johannes Erdfelt
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Josh Kearney |
Bug Description
This is a similar bug to LP726359.
plugins/
Related branches
lp://staging/~jk0/nova/lp746731
- Sandy Walsh (community): Approve
- Cory Wright (community): Approve
- Johannes Erdfelt (community): Approve
-
Diff: 78 lines (+19/-16)1 file modifiedplugins/xenserver/xenapi/etc/xapi.d/plugins/xenstore.py (+19/-16)
Changed in nova: | |
status: | Confirmed → In Progress |
assignee: | nobody → Josh Kearney (jk0) |
Changed in nova: | |
status: | In Progress → Fix Committed |
Changed in nova: | |
status: | Fix Committed → Fix Released |
milestone: | none → 2011.2 |
To post a comment you must log in.
Here is my first stab at a patch for the problem.
The code depends on using the shell in two ways:
1) It creates a space delimited string with all of the arguments
2) In one case it uses shell variables to get the status of a command
The patch changes the code to pass a list of arguments as well returning a status code for the command.