the size returned by volume_size_info is used for creating the new destination image in PVE::QemuServer::clone_disk (and probably elsewhere). In certain cases the return values are tainted - they are obtained by a run_command call and depending on the format and length of the parsed output can still have their tainted attribute.
One example of a tainted return has been reported in our community-forum: https://forum.proxmox.com/threads/cannot-clone-vm-or-move-disk-with-more-than-13-snapshots.89628/ A qcow2 image with 13 snapshots generates a output > 4k in length from `qemu-img info --output=json`, which in turn causes the output to be considered tainted. This patch untaints the returns where applicable. The other storage-plugins are not affected: * LVMPlugin returns a single number and a newline (thus gets untainted by run_command) * RBDPlugin untaints the complete json before decoding * ZFSPoolplugin and ISCSIDirectPlugin explicitly untaint their returns. Signed-off-by: Stoiko Ivanov <s.iva...@proxmox.com> --- Note: Not really a v2, since it's a different patch, but addresses the same issue as in https://lists.proxmox.com/pipermail/pve-devel/2021-June/048910.html PVE/Storage/PBSPlugin.pm | 4 +++- PVE/Storage/Plugin.pm | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/PVE/Storage/PBSPlugin.pm b/PVE/Storage/PBSPlugin.pm index a439dd2..2576764 100644 --- a/PVE/Storage/PBSPlugin.pm +++ b/PVE/Storage/PBSPlugin.pm @@ -811,7 +811,9 @@ sub volume_size_info { my $size = 0; foreach my $info (@$data) { - $size += $info->{size} if $info->{size}; + if ($info->{size} && $info->{size} =~ /^(\d+)$/) { + $size += $1; + } } my $used = $size; diff --git a/PVE/Storage/Plugin.pm b/PVE/Storage/Plugin.pm index d330845..2bcbc84 100644 --- a/PVE/Storage/Plugin.pm +++ b/PVE/Storage/Plugin.pm @@ -837,6 +837,12 @@ sub file_size_info { my ($size, $format, $used, $parent) = $info->@{qw(virtual-size format actual-size backing-filename)}; + ($size) = ($size =~ /^(\d+)$/); #untaint + ($used) = ($used =~ /^(\d+)$/); #untaint + ($format) = ($format =~ /^([-\w]+)$/); #untaint + if (defined($parent)) { + ($parent) = ($parent =~ /^(.*)$/); #untaint + } return wantarray ? ($size, $format, $used, $parent, $st->ctime) : $size; } -- 2.20.1 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
