Bug 858386

Summary: modcluster: Encode XML-unsafe characters from user input as XML entities
Product: Red Hat Enterprise Linux 6 Reporter: Jan Pokorný [poki] <jpokorny>
Component: clustermonAssignee: Jan Pokorný [poki] <jpokorny>
Status: CLOSED DUPLICATE QA Contact: Cluster QE <mspqa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: cluster-maint, fdinitto, rmccabe, rsteiger
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 855112 Environment:
Last Closed: 2014-03-27 16:43:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 855121    

Description Jan Pokorný [poki] 2012-09-18 20:24:10 UTC 
+++ This bug was initially created as a clone of Bug #855112 +++

In connection to case discussed in the public cluster ML [1], we need
to make sure the user input that makes its way into XML (either as
cluster.conf or XML-formatted requests towards ricci) is XML-ready.
That is, the "unsafe" characters are encoded as XML entities.

More generally, we need to make sure XML entities are handled
correctly in each step of processing in following chain:

client (ccs, luci) -- ricci -- ricci-worker -- modcluster

Otherwise, such requests have no effect and unfortunately, neither
ricci provides a sensible diagnostics about this.  Example of such
input is the password for the initial authentization against ricci.

[1] https://www.redhat.com/archives/linux-cluster/2012-August/msg00135.html
Comment 1 RHEL Program Management 2012-09-18 20:29:32 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 3 Fabio Massimo Di Nitto 2014-03-27 16:43:37 UTC 

*** This bug has been marked as a duplicate of bug 855112 ***