Bug 1013737 - No error when inserting a non-ISO image through the REST API
No error when inserting a non-ISO image through the REST API
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 3.5.0
Assigned To: Martin Betak
Pavel Novotny
Depends On:
Blocks: rhev3.5beta 1156165
  Show dependency treegraph
Reported: 2013-09-30 12:49 EDT by Christophe Fergeau
Modified: 2015-02-17 03:26 EST (History)
9 users (show)

See Also:
Fixed In Version: ovirt-3.5.0_rc1
Doc Type: Bug Fix
Doc Text:
Cause: Missing validation for image file suffix. Consequence: Allowed erroneous insertion of floppy to cdrom. Fix: Added check do allow only *.iso files to be inserted to cdrom.
Story Points: ---
Clone Of:
Last Closed: 2015-02-17 03:26:36 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 30806 master MERGED backend: Validate cdrom images for .iso suffix Never
oVirt gerrit 30903 ovirt-engine-3.5 MERGED backend: Validate cdrom images for .iso suffix Never

  None (edit)
Description Christophe Fergeau 2013-09-30 12:49:47 EDT
ISO domains can contain iso or vfd images. If one tries to insert a vfd image using the REST API, the insertion is successful, and then Windows fails to read the image saying its format is invalid. It would be nicer to reject such changes

> PUT //api/vms/d14e4ddc-3dc5-4157-8e4d-f0f807856884/cdroms/00000000-0000-0000-0000-000000000000?current= HTTP/1.1
> Soup-Debug-Timestamp: 1380559590
> Soup-Debug: SoupSessionAsync 1 (0x6af960), SoupMessage 8 (0xb3a1d0), SoupSocket 9 (0x7f8d80)
> Host: rhevm33.spice.lab.eng.brq.redhat.com
> Content-Type: application/xml
> Filter: true
> Connection: Keep-Alive
> Authorization: Basic [teuf@spice.lab.eng.brq.redhat.com:*********]
> <cdrom>
>       <file id="virtio-win-1.2.0.vfd"/>
> </cdrom>

< HTTP/1.1 200 OK
< Soup-Debug-Timestamp: 1380559590
< Soup-Debug: SoupMessage 8 (0xb3a1d0)
< Date: Mon, 30 Sep 2013 16:46:27 GMT
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
< Content-Type: application/xml
< Content-Length: 111
< Vary: Accept-Encoding
< Connection: close
< <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
< <cdrom>
<     <file id="virtio-win-1.2.0.vfd"/>
< </cdrom>
Comment 1 Michal Skrivanek 2013-10-01 04:40:58 EDT
is the suffix check enough? i.e. .iso for cdrom and .vfd for floppy?
Comment 2 Christophe Fergeau 2013-10-01 04:59:45 EDT
The 'file' resources have a 'type' attribute as documented in api?schema and in https://access.redhat.com/site/documentation//en-US/Red_Hat_Enterprise_Virtualization/3.2/html/Developer_Guide/sect-Sub-Collections-2.html so I was thinking this could be used. However it's not present when I look at the xml returned by a 3.2 or 3.3 instance.
Comment 4 Pavel Novotny 2014-08-12 08:02:12 EDT
Verified upstream in ovirt-engine-3.5.0-0.0.master.20140804172041.git23b558e.el6.noarch (rc1).

Request PUT /ovirt-engine/api/vms/<uuid>/cdroms/00000000-0000-0000-0000-000000000000?current
with body 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <file id="virtio-win-1.2.0.vfd"/>


  <reason>Operation Failed</reason>
  <detail>[Cannot edit VM. Invalid CD image format.]</detail>
Comment 5 Omer Frenkel 2015-02-17 03:26:36 EST
RHEV-M 3.5.0 has been released

Note You need to log in before you can comment on or make changes to this bug.