1197580 – libvirt should escape possible invalid characters.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1197580 - libvirt should escape possible invalid characters.

Summary: libvirt should escape possible invalid characters.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.1
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	7.2
Assignee:	Pavel Hrdina
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-03-02 06:01 UTC by Hao Liu
Modified:	2015-11-19 06:18 UTC (History)
CC List:	7 users (show)
Fixed In Version:	libvirt-1.2.16-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 06:18:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2202	0	normal	SHIPPED_LIVE	libvirt bug fix and enhancement update	2015-11-19 08:17:58 UTC

Description Hao Liu 2015-03-02 06:01:04 UTC

Description:
libvirt should escape possible invalid characters.

How producible
100%

Version:
libvirt-1.2.8-16.el7.x86_64

Steps
1. Define a VM with some invalid characters and check the defined XML.
# cat vm.xml
<domain type='kvm'>
  <name>test</name>
  <title>&lt;&gt;</title>
  <memory unit='KiB'>1048576</memory>
  <os>
    <type arch='x86_64' machine='pc-i440fx-rhel7.1.0'>hvm</type>
  </os>
  <cpu mode='custom' match='exact'>
    <model fallback='allow'>&lt;&gt;</model>
  </cpu>
  <devices>
    <graphics type='vnc' socket='/&lt;&gt;'>
    </graphics>
  </devices>
</domain>

# virsh define vm.xml
Domain test defined from vm.xml

# virsh dumpxml test
...
  <title>&lt;&gt;</title>
...
  <cpu mode='custom' match='exact'>
    <model fallback='allow'><></model>
  </cpu>
...
    <graphics type='vnc' socket='/<>'/>
...

2. Now if we try to edit the configuration
# virsh edit test
error: (domain_definition):12: StartTag: invalid element name
    <model fallback='allow'><></model>
-----------------------------^
Failed. Try again? [y,n,f,?]:

3. Same thing exists in but to confined to following paths:
"/domain/devices/hostdev/rom/file"
"/domain/devices/source/seclabel/model"

Expected results:
Either the saved XML should be escaped correctly, or it should be
failed out at the defining stage.

Comment 1 Pavel Hrdina 2015-05-05 15:04:38 UTC

Upstream patch proposed:

https://www.redhat.com/archives/libvir-list/2015-May/msg00110.html

Comment 2 Pavel Hrdina 2015-05-12 10:17:08 UTC

Upstream commit:

commit d091518b353d49b772a1e68acbe0fd0be76e33d6
Author: Pavel Hrdina <phrdina>
Date:   Tue May 5 16:52:46 2015 +0200

    XML: escape strings where we should do it
    
    There is a lot of places, were it's pretty easy for user to enter some
    characters that we need to escape to create a valid XML description.
    
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1197580
    
    Signed-off-by: Pavel Hrdina <phrdina>

v1.2.15-63-gd091518

Comment 4 Fangge Jin 2015-08-31 09:12:39 UTC

Steps:
1.Define a vm with the attributes as below:
...
    <graphics type='vnc' port='-1' autoport='yes' socket='&lt;&gt;'>
    </graphics>
...

2.Dump the xml:
# virsh dumpxml test
...
    <graphics type='vnc' socket='<>'/>
...

3.Try to edit the xml:
# virsh edit test
error: (domain_definition):125: Unescaped '<' not allowed in attributes values
    <graphics type='vnc' socket='<>'/>
---------------------------------^
Failed. Try again? [y,n,i,f,?]: 


The issue still exists with graphics->socket.

Comment 5 Pavel Hrdina 2015-08-31 13:30:35 UTC

Hi, you're right, I've missed that one.

Comment 6 Fangge Jin 2015-09-22 07:17:22 UTC

(In reply to Pavel Hrdina from comment #5)
> Hi, you're right, I've missed that one.

Hello, Pavel

Will you include the fix in this bug? Or we can just verify it with the current fix now, and note the missing part in the comment.

Comment 7 Pavel Hrdina 2015-10-08 11:44:17 UTC

Hi, there is a patch upstream, that fixes it, but it's not critical and we will not include it in RHEL-7.2.  Please create a new bug against RHEL-7.3 so we can track this issue.

Thanks

Comment 8 Fangge Jin 2015-10-10 03:45:00 UTC

Test on build libvirt-1.2.17-13.el7.x86_64:

Domain xml:
1)Define a guest with the following settings:
# cat escape.xml
<domain type='kvm'>
  <name>test4&lt;</name>
  <title>A short description -&lt;&gt; title - of the domain</title>
--
  <cpu mode='custom' match='exact'>
      <model vendor_id='uthedjdjdj&lt;&gt;'>IvyBridge&lt;&gt;</model>
      <vendor>Intel&lt;&gt;</vendor>
  </cpu>
--
  <devices>
    <emulator>/usr/libexec/dd&lt;/qemu-kvm</emulator>
--
    <interface type='network'>
      <rom bar='on' file='/etc/fake/boot&lt;&gt;.bin'/>
--
    <serial type="udp">
      <source mode="bind" host="&lt;ddd0.0.0.0&gt;" service="&lt;2445&gt;"/>
      <source mode="connect" host="&lt;ddd0.0.0.0&gt;" service="&lt;2445&gt;"/>
--
    <serial type="tcp">
      <source mode="bind" host="&lt;ddd0.0.0.0&gt;" service="&lt;2445&gt;"/>
--
    <serial type="tcp">
      <source mode="connect" host="&lt;ddd0.0.0.0&gt;" service="&lt;2445&gt;"/>
--
    <serial type="nmdm">
      <source master="/dev/n&lt;mdm0&gt;A" slave="/dev/nm&lt;dm0&gt;B"/>
--
  </devices>
  <seclabel type='dynamic' model='selinux&lt;&gt;' relabel='yes'/>

# virsh define escape.xml 
Domain test4< defined from escape.xml

2)Dumpxml, the special characters are escaped correctly:
# virsh dumpxml 'test4<'
  <name>test4&lt;</name>
  <title>A short description -&lt;&gt; title - of the domain</title>
    <model fallback='allow' vendor_id='uthedjdjdj&lt;&gt;'>IvyBridge&lt;&gt;</model>
    <vendor>Intel&lt;&gt;</vendor>
    <emulator>/usr/libexec/dd&lt;/qemu-kvm</emulator>
      <rom bar='on' file='/etc/fake/boot&lt;&gt;.bin'/>
      <source mode='bind' host='&lt;ddd0.0.0.0&gt;' service='&lt;2445&gt;'/>
      <source mode='connect' host='&lt;ddd0.0.0.0&gt;' service='&lt;2445&gt;'/>
      <source mode='bind' host='&lt;ddd0.0.0.0&gt;' service='&lt;2445&gt;'/>
      <source mode='connect' host='&lt;ddd0.0.0.0&gt;' service='&lt;2445&gt;'/>
      <source master='/dev/n&lt;mdm0&gt;A' slave='/dev/nm&lt;dm0&gt;B'/>
  <seclabel type='dynamic' model='selinux&lt;&gt;' relabel='yes'/>

3)Try to edit the guest xml, edit succeed:
# virsh edit 'test4<'
Domain test4< XML configuration edited.

4)Define a guest xml with the following settings:
# cat escape.xml |grep spiceport -a3
    <serial type="spiceport">
      <source channel="org.qemu.console.s&lt;erial.0"/>

# virsh define escape.xml 
error: Failed to define domain from escape.xml
error: invalid argument: Invalid character in source channel for char device



Network xml:
1)Define a network with the following settings:
# cat vepa-network.xml
<network>
  <dns>
    <txt name="example&quot;" value="example value&quot;" />
    <srv service='name' protocol='tcp' domain='test-domain-name&quot;' target='.&quot;' port='1024' priority='10' weight='10'/>
    <host ip='192.168.122.2'>
      <hostname>myh&quot;ost</hostname>
      <hostname>myh&quot;ostalias</hostname>

# virsh net-define vepa-network.xml 
Network vepa-net defined from vepa-network.xml

2)Dumpxml,  the special characters are escaped correctly:
# virsh net-dumpxml vepa-net
...
    <txt name='example&quot;' value='example value&quot;'/>
    <srv service='name' protocol='tcp' domain='test-domain-name&quot;' target='.&quot;' port='1024' priority='10' weight='10'/>
      <hostname>myh&quot;ost</hostname>
      <hostname>myh&quot;ostalias</hostname>
...

3)Try to edit the network xml, edit succeed:
# virsh net-edit vepa-net
Network vepa-net XML configuration edited.

Comment 9 Fangge Jin 2015-10-10 03:48:39 UTC

(In reply to Pavel Hrdina from comment #7)
> Hi, there is a patch upstream, that fixes it, but it's not critical and we
> will not include it in RHEL-7.2.  Please create a new bug against RHEL-7.3
> so we can track this issue.
> 
> Thanks

Comment 8 tested part of the places that have been escaped correctly.

Move this bug to verified. And created new bug 1270427 for the missing two places that need to escape:
/domain/devices/disk/driver[@name]
/domain/devices/graphics[@socket]

Comment 11 errata-xmlrpc 2015-11-19 06:18:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html

Note You need to log in before you can comment on or make changes to this bug.