Re: [libvirt] [PATCH v2 2/3] hyperv: Escape WQL queries

On 10/06/2017 02:47 AM, Ladi Prosek wrote: > The code was vulnerable to SQL injection. Likely not a security issue due to > WMI SQL and other constraints but still lame. For example: > > virsh # dominfo \" > error: failed to get domain '"' > error: internal error: SOAP fault during enumeration: code 's:Sender', subcode > 'n:CannotProcessFilter', reason 'The data source could not process the filter. > The filter might be missing or it might be invalid. Change the filter and try > the request again. ', detail 'The WS-Management service cannot process the > request. The WQL query is invalid. ' > > This commit fixes the Hyper-V driver by escaping all WMI SQL string parameters. > > The same command with the fix: > > virsh # dominfo \" > error: failed to get domain '"' > error: Domain not found: No domain with name " > > Signed-off-by: Ladi Prosek <lprosek(a)redhat.com&gt; > --- > src/hyperv/hyperv_driver.c | 96 +++++++++++++++++++++++----------------------- > src/hyperv/hyperv_wmi.c | 2 +- > src/util/virbuffer.c | 18 +++++++++ > src/util/virbuffer.h | 3 ++ > 4 files changed, 70 insertions(+), 49 deletions(-) > Surprised to a degree this worked correctly without adding 'virBufferEscapeSQL' to src/libvirt_private.syms

In any case, I'll add before pushing...