From e8acc504faccbf815b53d2c39cdc6d858ba03da3 Mon Sep 17 00:00:00 2001 From: Kurt Martin Date: Thu, 15 Aug 2013 16:22:31 -0700 Subject: [PATCH] Fix SSH injection threat in 3PAR driver The setqos ssh command was not built up correctly when the following patch https://review.openstack.org/#/c/37697/ landed for cleaning up the SSH calls from injection attacks in the 3PAR driver. The command was in the following format causing the injection threat due to the spaces in the second item in the list: ['setqos', '-io 5000 -bw 500M vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg'] When it should actually be in the following format: ['setqos', '-io', '5000', '-bw', '500M', 'vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg'] Change-Id: I69ed8dbca3af3ba56220891411b63331c1935373 Fixes: bug 1212884 --- cinder/volume/drivers/san/hp/hp_3par_common.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/cinder/volume/drivers/san/hp/hp_3par_common.py b/cinder/volume/drivers/san/hp/hp_3par_common.py index 36f693421..1a7b7f95c 100644 --- a/cinder/volume/drivers/san/hp/hp_3par_common.py +++ b/cinder/volume/drivers/san/hp/hp_3par_common.py @@ -619,12 +619,13 @@ exit def _set_qos_rule(self, qos, vvs_name): max_io = self._get_qos_value(qos, 'maxIOPS') max_bw = self._get_qos_value(qos, 'maxBWS') - cli_qos_string = "" + cmd = ['setqos'] if max_io is not None: - cli_qos_string += ('-io %s ' % max_io) + cmd.extend(['-io', '%s' % max_io]) if max_bw is not None: - cli_qos_string += ('-bw %sM ' % max_bw) - self._cli_run(['setqos', '%svvset:%s' % (cli_qos_string, vvs_name)]) + cmd.append(['-bw', '%sM' % max_bw]) + cmd.append('vvset:' + vvs_name) + self._cli_run(cmd) def _add_volume_to_volume_set(self, volume, volume_name, cpg, vvs_name, qos): -- 2.45.2