I had RussellB double check this as well, and we think this is invalid
now. Please reopen if you disagree.
** Changed in: nova
Status: Confirmed => Invalid
** Changed in: nova
Importance: Medium => Undecided
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1074087
Title:
Xen migration driver should use execvp
Status in OpenStack Compute (Nova):
Invalid
Bug description:
The Xen drivers split a string to create an array for
subprocess.Popen, rather than passing an array directly. This invites
the potential for command injection / manipulation.
There is no clearly valid reason to use string splitting here when
arguments can be passed, as elsewhere, directly into Popen.
The behavior here is present in current Trunk, Folsom, and Essex. Per
Trunk and Folsom, _rsync_vhds calls plugins.utils.subprocess to
perform the splitting. In Essex, this behaviorism was present
directly in migration/transfer_vhd.py, rather than in utils.py.
Earlier releases have not been evaluated.
I am not certain if this is directly exploitable. The user field is
inserted into the generated strings used for command-line execution,
and it does seem that Keystone allows usernames to contain arbitrary
tokens/characters such as spaces. It is not clear to me if the user
field directly matches that in Keystone, if the user field is
otherwise validated in the API, etc. Other fields inserted into the
command string seem to be internally generated.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1074087/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
