On Fri, Feb 12, 2021 at 05:42:19PM +0100, Michal Privoznik wrote: > The root directory can be provided by user (or a temporary one is > generated) and is always formatted into connection URI for both > secret driver and QEMU driver, like this: > > qemu:///embed?root=$root > > But if it so happens that there is an URI unfriendly character in > root directory or path to it (say a space) then invalid URI is > formatted which results in unexpected results. We can trust > g_dir_make_tmp() to generate valid URI but we can't trust user. > Escape user provided root directory. Always. > > Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1920400 > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> > --- > src/qemu/qemu_shim.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
