From 0ab8c56a456082a8f25fe879a68b032111558536 Mon Sep 17 00:00:00 2001 From: Kurt Martin Date: Fri, 16 Aug 2013 08:48:03 -0700 Subject: [PATCH] Fixes SSH injection threat in 3PAR driver The setqos ssh command was not built up correctly when the following patch https://review.openstack.org/#/c/37697/ landed for cleaning up the SSH calls from injection attacks in the 3PAR driver. The command was in the following format causing the injection threat due to the spaces in the second item in the list: ['setqos', '-io 5000 -bw 500M vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg'] When it should actually be in the following format: ['setqos', '-io', '5000', '-bw', '500M', 'vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg'] This patch fixes an append vs. extend that was introduced in patch https://review.openstack.org/#/c/42241 Also fixes: bug 1212884 Change-Id: I28f84acd02397ee0d433a666375737145904d67e --- cinder/volume/drivers/san/hp/hp_3par_common.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cinder/volume/drivers/san/hp/hp_3par_common.py b/cinder/volume/drivers/san/hp/hp_3par_common.py index 1a7b7f95c..20235800b 100644 --- a/cinder/volume/drivers/san/hp/hp_3par_common.py +++ b/cinder/volume/drivers/san/hp/hp_3par_common.py @@ -623,7 +623,7 @@ exit if max_io is not None: cmd.extend(['-io', '%s' % max_io]) if max_bw is not None: - cmd.append(['-bw', '%sM' % max_bw]) + cmd.extend(['-bw', '%sM' % max_bw]) cmd.append('vvset:' + vvs_name) self._cli_run(cmd) -- 2.45.2