Fix SSH injection threat in 3PAR driver

The setqos ssh command was not built up correctly when the following
patch https://review.openstack.org/#/c/37697/ landed for cleaning up
the SSH calls from injection attacks in the 3PAR driver.

The command was in the following format causing the injection threat
due to the spaces in the second item in the list:
['setqos', '-io 5000 -bw 500M vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg']
When it should actually be in the following format:
['setqos', '-io', '5000', '-bw', '500M', 'vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg']

Change-Id: I69ed8dbca3af3ba56220891411b63331c1935373
Fixes: bug 1212884

diff --git a/cinder/volume/drivers/san/hp/hp_3par_common.py b/cinder/volume/drivers/san/hp/hp_3par_common.py
index 36f693421c18bc8b950e72922f453c9c951212d4..1a7b7f95cfaebe9fc9688c131f3292d5753d7a2f 100644 (file)
--- a/cinder/volume/drivers/san/hp/hp_3par_common.py
+++ b/cinder/volume/drivers/san/hp/hp_3par_common.py
@@ -619,12 +619,13 @@ exit
     def _set_qos_rule(self, qos, vvs_name):
         max_io = self._get_qos_value(qos, 'maxIOPS')
         max_bw = self._get_qos_value(qos, 'maxBWS')
-        cli_qos_string = ""
+        cmd = ['setqos']
         if max_io is not None:
-            cli_qos_string += ('-io %s ' % max_io)
+            cmd.extend(['-io', '%s' % max_io])
         if max_bw is not None:
-            cli_qos_string += ('-bw %sM ' % max_bw)
-        self._cli_run(['setqos', '%svvset:%s' % (cli_qos_string, vvs_name)])
+            cmd.append(['-bw', '%sM' % max_bw])
+        cmd.append('vvset:' + vvs_name)
+        self._cli_run(cmd)
 
     def _add_volume_to_volume_set(self, volume, volume_name,
                                   cpg, vvs_name, qos):