Bug 1515193
| Summary: | pcs should not allow {}\n\r characters in corosync.conf values | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Tomas Jelinek <tojeline> | |
| Component: | pcs | Assignee: | Tomas Jelinek <tojeline> | |
| Status: | CLOSED WONTFIX | QA Contact: | cluster-qe <cluster-qe> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.5 | CC: | cfeist, cluster-maint, idevat, omular, tojeline | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1551663 1679196 (view as bug list) | Environment: | ||
| Last Closed: | 2020-09-16 12:45:35 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
|
Description
Tomas Jelinek
2017-11-20 11:23:09 UTC
This is rather urgent for reasons in [bug 1389209 comment 35]. And rather than being matter of corosync parser, it's a general deficiency in checking the inputs (possibly from less-privileged sources, depending on the exact use case) to compose the resulting corosync.conf from, as currently the precooked configuration snippets may be injected in "plain unlimited string"-evaluated instances. - { anywhere in a line means start of a section -> disallowed
- } anywhere in a line means end of a section -> disallowed
- \n and \r starts a new line which could be used to set its own key-value or section -> disallowed
- : is allowed, as only the first : in a line matters
- # is allowed, as the # only matters when it is the first character in a line (not considering whitespace)
- there is no escaping available
|