Bug 1013737 - No error when inserting a non-ISO image through the REST API
Summary: No error when inserting a non-ISO image through the REST API
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.5.0
Assignee: Martin Betak
QA Contact: Pavel Novotny
Whiteboard: virt
Depends On:
Blocks: rhev3.5beta 1156165
TreeView+ depends on / blocked
Reported: 2013-09-30 16:49 UTC by Christophe Fergeau
Modified: 2015-02-17 08:26 UTC (History)
9 users (show)

Fixed In Version: ovirt-3.5.0_rc1
Doc Type: Bug Fix
Doc Text:
Cause: Missing validation for image file suffix. Consequence: Allowed erroneous insertion of floppy to cdrom. Fix: Added check do allow only *.iso files to be inserted to cdrom.
Clone Of:
Last Closed: 2015-02-17 08:26:36 UTC
oVirt Team: ---
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
oVirt gerrit 30806 0 master MERGED backend: Validate cdrom images for .iso suffix Never
oVirt gerrit 30903 0 ovirt-engine-3.5 MERGED backend: Validate cdrom images for .iso suffix Never

Description Christophe Fergeau 2013-09-30 16:49:47 UTC
ISO domains can contain iso or vfd images. If one tries to insert a vfd image using the REST API, the insertion is successful, and then Windows fails to read the image saying its format is invalid. It would be nicer to reject such changes

> PUT //api/vms/d14e4ddc-3dc5-4157-8e4d-f0f807856884/cdroms/00000000-0000-0000-0000-000000000000?current= HTTP/1.1
> Soup-Debug-Timestamp: 1380559590
> Soup-Debug: SoupSessionAsync 1 (0x6af960), SoupMessage 8 (0xb3a1d0), SoupSocket 9 (0x7f8d80)
> Host: rhevm33.spice.lab.eng.brq.redhat.com
> Content-Type: application/xml
> Filter: true
> Connection: Keep-Alive
> Authorization: Basic [teuf@spice.lab.eng.brq.redhat.com:*********]
> <cdrom>
>       <file id="virtio-win-1.2.0.vfd"/>
> </cdrom>

< HTTP/1.1 200 OK
< Soup-Debug-Timestamp: 1380559590
< Soup-Debug: SoupMessage 8 (0xb3a1d0)
< Date: Mon, 30 Sep 2013 16:46:27 GMT
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 01:00:00 CET
< Content-Type: application/xml
< Content-Length: 111
< Vary: Accept-Encoding
< Connection: close
< <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
< <cdrom>
<     <file id="virtio-win-1.2.0.vfd"/>
< </cdrom>

Comment 1 Michal Skrivanek 2013-10-01 08:40:58 UTC
is the suffix check enough? i.e. .iso for cdrom and .vfd for floppy?

Comment 2 Christophe Fergeau 2013-10-01 08:59:45 UTC
The 'file' resources have a 'type' attribute as documented in api?schema and in https://access.redhat.com/site/documentation//en-US/Red_Hat_Enterprise_Virtualization/3.2/html/Developer_Guide/sect-Sub-Collections-2.html so I was thinking this could be used. However it's not present when I look at the xml returned by a 3.2 or 3.3 instance.

Comment 4 Pavel Novotny 2014-08-12 12:02:12 UTC
Verified upstream in ovirt-engine-3.5.0-0.0.master.20140804172041.git23b558e.el6.noarch (rc1).

Request PUT /ovirt-engine/api/vms/<uuid>/cdroms/00000000-0000-0000-0000-000000000000?current
with body 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <file id="virtio-win-1.2.0.vfd"/>


  <reason>Operation Failed</reason>
  <detail>[Cannot edit VM. Invalid CD image format.]</detail>

Comment 5 Omer Frenkel 2015-02-17 08:26:36 UTC
RHEV-M 3.5.0 has been released

Note You need to log in before you can comment on or make changes to this bug.