From: git-harry Date: Mon, 1 Dec 2014 13:26:40 +0000 (+0000) Subject: Fix check_ssh_injection in cinder/utils X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=78d9c0366b08c64f39930c2375d6622041fc8abe;p=openstack-build%2Fcinder-build.git Fix check_ssh_injection in cinder/utils check_ssh_injection is used to prevent commands being modified using specially constructed strings containing special characters. The function includes a loop over the special characters to compare them against each arg. If the special character is the same as the arg it gets ignored. This commit modifies this part of the function so that args that are exactly equal to one of the special characters will cause an exception to be raised. Change-Id: I3a61e995ea41fc0324b5cb60e3c96e3d9dc56637 Closes-Bug: #1398002 --- diff --git a/cinder/tests/test_utils.py b/cinder/tests/test_utils.py index 9381de239..eca60b03a 100644 --- a/cinder/tests/test_utils.py +++ b/cinder/tests/test_utils.py @@ -471,7 +471,11 @@ class GenericUtilsTestCase(test.TestCase): self.assertRaises(exception.SSHInjectionThreat, utils.check_ssh_injection, with_unquoted_space) - with_danger_char = ['||', 'my_name@name_of_remote_computer'] + with_danger_chars = ['||', 'my_name@name_of_remote_computer'] + self.assertRaises(exception.SSHInjectionThreat, + utils.check_ssh_injection, + with_danger_chars) + with_danger_char = [';', 'my_name@name_of_remote_computer'] self.assertRaises(exception.SSHInjectionThreat, utils.check_ssh_injection, with_danger_char) diff --git a/cinder/utils.py b/cinder/utils.py index eca0d9121..bd4fcc95f 100644 --- a/cinder/utils.py +++ b/cinder/utils.py @@ -168,7 +168,7 @@ def check_ssh_injection(cmd_list): # Second, check whether danger character in command. So the shell # special operator must be a single argument. for c in ssh_injection_pattern: - if arg == c: + if c not in arg: continue result = arg.find(c)