← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1074087] Re: Xen migration driver should use execvp

 

Most of these scripts do appear to be fixed in one way or another.
However, there is still a problem in
nova/plugins/xenserver/xenapi/etc/xapi.d/plugins/xenhost. It defines
_run_command() which uses shell=True.

** Changed in: nova
       Status: Invalid => New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1074087

Title:
  Xen migration driver should use execvp

Status in OpenStack Compute (Nova):
  New

Bug description:
  The Xen drivers split a string to create an array for
  subprocess.Popen, rather than passing an array directly. This invites
  the potential for command injection / manipulation.

  There is no clearly valid reason to use string splitting here when
  arguments can be passed, as elsewhere, directly into Popen.

  The behavior here is present in current Trunk, Folsom, and Essex.  Per
  Trunk and Folsom, _rsync_vhds calls plugins.utils.subprocess to
  perform the splitting.  In Essex, this behaviorism was present
  directly in migration/transfer_vhd.py, rather than in utils.py.
  Earlier releases have not been evaluated.

  I am not certain if this is directly exploitable. The user field is
  inserted into the generated strings used for command-line execution,
  and it does seem that Keystone allows usernames to contain arbitrary
  tokens/characters such as spaces.  It is not clear to me if the user
  field directly matches that in Keystone, if the user field is
  otherwise validated in the API, etc.  Other fields inserted into the
  command string seem to be internally generated.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1074087/+subscriptions