Bug 1013737

Summary: No error when inserting a non-ISO image through the REST API
Product: Red Hat Enterprise Virtualization Manager Reporter: Christophe Fergeau <cfergeau>
Component: ovirt-engineAssignee: Martin Betak <mbetak>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Novotny <pnovotny>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.3.0CC: bazulay, iheim, lpeer, mavital, michal.skrivanek, oramraz, rbalakri, Rhev-m-bugs, yeylon
Target Milestone: ---   
Target Release: 3.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: virt
Fixed In Version: ovirt-3.5.0_rc1 Doc Type: Bug Fix
Doc Text:
Cause: Missing validation for image file suffix. Consequence: Allowed erroneous insertion of floppy to cdrom. Fix: Added check do allow only *.iso files to be inserted to cdrom.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-17 08:26:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1142923, 1156165    

Description Christophe Fergeau 2013-09-30 16:49:47 UTC
ISO domains can contain iso or vfd images. If one tries to insert a vfd image using the REST API, the insertion is successful, and then Windows fails to read the image saying its format is invalid. It would be nicer to reject such changes

> PUT //api/vms/d14e4ddc-3dc5-4157-8e4d-f0f807856884/cdroms/00000000-0000-0000-0000-000000000000?current= HTTP/1.1
> Soup-Debug-Timestamp: 1380559590
> Soup-Debug: SoupSessionAsync 1 (0x6af960), SoupMessage 8 (0xb3a1d0), SoupSocket 9 (0x7f8d80)
> Host: rhevm33.spice.lab.eng.brq.redhat.com
> Content-Type: application/xml
> Filter: true
> Connection: Keep-Alive
> Authorization: Basic [teuf.eng.brq.redhat.com:*********]
> <cdrom>
>       <file id="virtio-win-1.2.0.vfd"/>
> </cdrom>

< HTTP/1.1 200 OK
< Soup-Debug-Timestamp: 1380559590
< Soup-Debug: SoupMessage 8 (0xb3a1d0)
< Date: Mon, 30 Sep 2013 16:46:27 GMT
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
< Content-Type: application/xml
< Content-Length: 111
< Vary: Accept-Encoding
< Connection: close
< <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
< <cdrom>
<     <file id="virtio-win-1.2.0.vfd"/>
< </cdrom>

Comment 1 Michal Skrivanek 2013-10-01 08:40:58 UTC
is the suffix check enough? i.e. .iso for cdrom and .vfd for floppy?

Comment 2 Christophe Fergeau 2013-10-01 08:59:45 UTC
The 'file' resources have a 'type' attribute as documented in api?schema and in https://access.redhat.com/site/documentation//en-US/Red_Hat_Enterprise_Virtualization/3.2/html/Developer_Guide/sect-Sub-Collections-2.html so I was thinking this could be used. However it's not present when I look at the xml returned by a 3.2 or 3.3 instance.

Comment 4 Pavel Novotny 2014-08-12 12:02:12 UTC
Verified upstream in ovirt-engine-3.5.0-0.0.master.20140804172041.git23b558e.el6.noarch (rc1).

Request PUT /ovirt-engine/api/vms/<uuid>/cdroms/00000000-0000-0000-0000-000000000000?current
with body 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <file id="virtio-win-1.2.0.vfd"/>


  <reason>Operation Failed</reason>
  <detail>[Cannot edit VM. Invalid CD image format.]</detail>

Comment 5 Omer Frenkel 2015-02-17 08:26:36 UTC
RHEV-M 3.5.0 has been released