Fix check_ssh_injection in cinder/utils

check_ssh_injection is used to prevent commands being modified using specially constructed strings containing special characters. The function includes a loop over the special characters to compare them against each arg. If the special character is the same as the arg it gets ignored. This commit modifies this part of the function so that args that are exactly equal to one of the special characters will cause an exception to be raised. Change-Id: I3a61e995ea41fc0324b5cb60e3c96e3d9dc56637 Closes-Bug: #1398002
2014-12-01 13:26:40 +00:00 · 2014-12-01 13:26:40 +00:00 · 78d9c0366b
parent 408c764f4f
commit 78d9c0366b
2 changed files with 6 additions and 2 deletions
--- a/cinder/tests/test_utils.py
+++ b/cinder/tests/test_utils.py
@ -471,7 +471,11 @@ class GenericUtilsTestCase(test.TestCase):
        self.assertRaises(exception.SSHInjectionThreat,
                          utils.check_ssh_injection,
                          with_unquoted_space)
-        with_danger_char = ['||', 'my_name@name_of_remote_computer']
+        with_danger_chars = ['||', 'my_name@name_of_remote_computer']
+        self.assertRaises(exception.SSHInjectionThreat,
+                          utils.check_ssh_injection,
+                          with_danger_chars)
+        with_danger_char = [';', 'my_name@name_of_remote_computer']
        self.assertRaises(exception.SSHInjectionThreat,
                          utils.check_ssh_injection,
                          with_danger_char)
--- a/cinder/utils.py
+++ b/cinder/utils.py
@ -168,7 +168,7 @@ def check_ssh_injection(cmd_list):
        # Second, check whether danger character in command. So the shell
        # special operator must be a single argument.
        for c in ssh_injection_pattern:
-            if arg == c:
+            if c not in arg:
                continue

            result = arg.find(c)