On Mon, Oct 16, 2017 at 3:58 PM, John Ferlan <jferlan@xxxxxxxxxx> wrote: > > > On 10/06/2017 02:47 AM, Ladi Prosek wrote: >> The code was vulnerable to SQL injection. Likely not a security issue due to >> WMI SQL and other constraints but still lame. For example: >> >> virsh # dominfo \" >> error: failed to get domain '"' >> error: internal error: SOAP fault during enumeration: code 's:Sender', subcode >> 'n:CannotProcessFilter', reason 'The data source could not process the filter. >> The filter might be missing or it might be invalid. Change the filter and try >> the request again. ', detail 'The WS-Management service cannot process the >> request. The WQL query is invalid. ' >> >> This commit fixes the Hyper-V driver by escaping all WMI SQL string parameters. >> >> The same command with the fix: >> >> virsh # dominfo \" >> error: failed to get domain '"' >> error: Domain not found: No domain with name " >> >> Signed-off-by: Ladi Prosek <lprosek@xxxxxxxxxx> >> --- >> src/hyperv/hyperv_driver.c | 96 +++++++++++++++++++++++----------------------- >> src/hyperv/hyperv_wmi.c | 2 +- >> src/util/virbuffer.c | 18 +++++++++ >> src/util/virbuffer.h | 3 ++ >> 4 files changed, 70 insertions(+), 49 deletions(-) >> > > Surprised to a degree this worked correctly without adding > 'virBufferEscapeSQL' to src/libvirt_private.syms Interesting, I followed instructions at https://libvirt.org/compiling.html#building and didn't see any warnings or indication that something was amiss. > In any case, I'll add before pushing... Thank you! -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
