On Mon, Oct 16, 2017 at 3:58 PM, John Ferlan <jferlan@redhat.com> wrote:
On 10/06/2017 02:47 AM, Ladi Prosek wrote:
The code was vulnerable to SQL injection. Likely not a security issue due to WMI SQL and other constraints but still lame. For example:
virsh # dominfo \" error: failed to get domain '"' error: internal error: SOAP fault during enumeration: code 's:Sender', subcode 'n:CannotProcessFilter', reason 'The data source could not process the filter. The filter might be missing or it might be invalid. Change the filter and try the request again. ', detail 'The WS-Management service cannot process the request. The WQL query is invalid. '
This commit fixes the Hyper-V driver by escaping all WMI SQL string parameters.
The same command with the fix:
virsh # dominfo \" error: failed to get domain '"' error: Domain not found: No domain with name "
Signed-off-by: Ladi Prosek <lprosek@redhat.com> --- src/hyperv/hyperv_driver.c | 96 +++++++++++++++++++++++----------------------- src/hyperv/hyperv_wmi.c | 2 +- src/util/virbuffer.c | 18 +++++++++ src/util/virbuffer.h | 3 ++ 4 files changed, 70 insertions(+), 49 deletions(-)
Surprised to a degree this worked correctly without adding 'virBufferEscapeSQL' to src/libvirt_private.syms
Interesting, I followed instructions at https://libvirt.org/compiling.html#building and didn't see any warnings or indication that something was amiss.
In any case, I'll add before pushing...
Thank you!