git.ipfire.org Git - thirdparty/libvirt.git/commit

author	Ladi Prosek <lprosek@redhat.com>
	Fri, 6 Oct 2017 06:47:34 +0000 (08:47 +0200)
committer	John Ferlan <jferlan@redhat.com>
	Mon, 16 Oct 2017 14:29:32 +0000 (10:29 -0400)
commit	5ae2d9c25912d2f6e357e3d2d63aa0be7f35aa90
tree	7a4a16cb463c1ffbf840f4509cb595fe16586569	tree
parent	bb8c2a76ca2c5e88042ed073baa91a97512223f6	commit \| diff

hyperv: Escape WQL queries

The code was vulnerable to SQL injection. Likely not a security issue due to
WMI SQL and other constraints but still lame. For example:

  virsh # dominfo \"
  error: failed to get domain '"'
  error: internal error: SOAP fault during enumeration: code 's:Sender', subcode
  'n:CannotProcessFilter', reason 'The data source could not process the filter.
  The filter might be missing or it might be invalid. Change the filter and try
  the request again.  ', detail 'The WS-Management service cannot process the
  request. The WQL query is invalid. '

This commit fixes the Hyper-V driver by escaping all WMI SQL string parameters.

The same command with the fix:

  virsh # dominfo \"
  error: failed to get domain '"'
  error: Domain not found: No domain with name "

Signed-off-by: Ladi Prosek <lprosek@redhat.com>

src/hyperv/hyperv_driver.c		diff \| blob \| blame \| history
src/hyperv/hyperv_wmi.c		diff \| blob \| blame \| history
src/libvirt_private.syms		diff \| blob \| blame \| history
src/util/virbuffer.c		diff \| blob \| blame \| history
src/util/virbuffer.h		diff \| blob \| blame \| history