rpc: gendispatch: handle empty flags

CVE-2020-25637

Prepare for omission of the <flagname> in remote_protocol.x
@acl annotations:
 @acl: <object>:<permission>:<flagname>
so that we can add more fields after, e.g.:
 @acl: <object>:<permission>::<field>

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
index 0b2ae599109cc3e860f0b7be2a9f0c157283533c..6feb1c8320c13719cf02886cfb853ddc970c880a 100755 (executable)
--- a/src/rpc/gendispatch.pl
+++ b/src/rpc/gendispatch.pl
@@ -2119,7 +2119,7 @@ elsif ($mode eq "client") {
                 if ($acl[$i]->{object} ne $acl[0]->{object}) {
                     die "acl for '$call->{ProcName}' cannot check different objects";
                 }
-                if (defined $acl[$i]->{flags}) {
+                if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) {
                     $checkflags = 1;
                 }
             }
@@ -2207,7 +2207,7 @@ elsif ($mode eq "client") {
                     my $method = "virAccessManagerCheck" . $object;
                     my $space = ' ' x length($method);
                     print "    if (";
-                    if (defined $acl->{flags}) {
+                    if (defined $acl->{flags} && length $acl->{flags}) {
                         my $flags = $acl->{flags};
                         if ($flags =~ /^\!/) {
                             $flags = substr $flags, 1;