732429 – fix rhn.py to quote arguments

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 732429 - fix rhn.py to quote arguments

Summary: fix rhn.py to quote arguments

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ovirt-node
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Alan Pevec
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	728234
TreeView+	depends on / blocked

Reported:	2011-08-22 12:58 UTC by Andrew Cathrow
Modified:	2016-04-26 15:21 UTC (History)
CC List:	13 users (show)
Fixed In Version:	ovirt-node-2.0.2-0.3.gitcf213a7.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 19:26:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ovirt.log (13.48 KB, text/plain) 2011-08-25 10:07 UTC, cshao	no flags	Details
fix rhn.py to quote arguments (4.11 KB, patch) 2011-09-02 02:05 UTC, Alan Pevec	no flags	Details \| Diff
fix rhn.py to quote arguments (4.12 KB, patch) 2011-09-02 20:30 UTC, Alan Pevec	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1783	0	normal	SHIPPED_LIVE	rhev-hypervisor6 bug fix and enhancement update	2011-12-06 15:10:54 UTC

Description Andrew Cathrow 2011-08-22 12:58:41 UTC

Alan - as per rhev-devel email. Reported during beta

rhn.py uses string instead of sequence for args in subprocess.Popen which can lead to errors w.r.t. string escaping.

Comment 1 cshao 2011-08-23 07:27:37 UTC

Below is QE summary about register RHEVH to Satellite with special character password:
Fail:
(123qwe
)123qwe
;123qwe
"123qwe
<123qwe
">123qwe"
123 qwe(there is blank)
#123qwe
$123qwe
&123qwe

Pass:
[123qwe
]123qwe 
{123qwe
}123qwe
:123qwe
,123qwe
.123qwe
/123qwe
?123qwe
~123qwe
!123qwe
%123qwe
^123qwe
*123qwe
@123qwe

Comment 2 Joey Boggs 2011-08-23 17:43:46 UTC


rhn/proxy user/password  are now single quoted to escape the characters

Some issues with a sequence. subprocess.Popen handles sequenced args as shell arguments rather than arguments to the program being called. No reason to create a list to have it rejoined in the end as a string. Can easily fix with single quotes on user managed options that could possibly have special characters and spaces.

Comment 5 cshao 2011-08-25 10:07:37 UTC

Created attachment 519801 [details]
ovirt.log

Comment 8 Alan Pevec 2011-08-29 21:09:13 UTC

> No reason to create a list to have it rejoined in the end as a string.

Actually, there's a reason: list2cmdline should do proper quoting for you,
so it's best to send args as a list.

Comment 9 Joey Boggs 2011-08-30 16:42:41 UTC

quoting around the password where we need quotes gets mangled when quotes are in the password itself all other bad characters are fine. Even escaping them ahead of time makes the situation worse. any ideas?

list2cmdline put into sample script with output

http://pastebin.test.redhat.com/59937

Comment 10 Alan Pevec 2011-08-30 21:58:13 UTC

Not sure I understand, afaict list2cmdline does correct thing, don't escape or quote anything, just send it as a list to Popen and it will quote/escape as needed.

Comment 11 Alan Pevec 2011-08-31 16:59:34 UTC

(In reply to comment #1)
> Below is QE summary about register RHEVH to Satellite with special character
> password:

How did you create those?
When I tried to put space in RHN Hosted it said:
Password must be ASCII and cannot contain the following special characters (") (<) (>) (space)

Comment 17 Alan Pevec 2011-09-02 02:05:52 UTC

Created attachment 521128 [details]
fix rhn.py to quote arguments

Comment 19 Alan Pevec 2011-09-02 20:30:31 UTC

Created attachment 521282 [details]
fix rhn.py to quote arguments

Comment 23 errata-xmlrpc 2011-12-06 19:26:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1783.html

Note You need to log in before you can comment on or make changes to this bug.