Bug 732429 - fix rhn.py to quote arguments
Summary: fix rhn.py to quote arguments
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ovirt-node
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Alan Pevec
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 728234
TreeView+ depends on / blocked
 
Reported: 2011-08-22 12:58 UTC by Andrew Cathrow
Modified: 2016-04-26 15:21 UTC (History)
13 users (show)

Fixed In Version: ovirt-node-2.0.2-0.3.gitcf213a7.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 19:26:27 UTC
Target Upstream Version:

Attachments (Terms of Use)
ovirt.log (13.48 KB, text/plain)
2011-08-25 10:07 UTC, cshao 		no flags Details
fix rhn.py to quote arguments (4.11 KB, patch)
2011-09-02 02:05 UTC, Alan Pevec 		no flags Details | Diff
fix rhn.py to quote arguments (4.12 KB, patch)
2011-09-02 20:30 UTC, Alan Pevec 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1783 0 normal SHIPPED_LIVE rhev-hypervisor6 bug fix and enhancement update 2011-12-06 15:10:54 UTC

Description Andrew Cathrow 2011-08-22 12:58:41 UTC 
Alan - as per rhev-devel email. Reported during beta

rhn.py uses string instead of sequence for args in subprocess.Popen which can lead to errors w.r.t. string escaping.
Comment 1 cshao 2011-08-23 07:27:37 UTC 
Below is QE summary about register RHEVH to Satellite with special character password:
Fail:
(123qwe
)123qwe
;123qwe
"123qwe
<123qwe
">123qwe"
123 qwe(there is blank)
#123qwe
$123qwe
&123qwe

Pass:
[123qwe
]123qwe 
{123qwe
}123qwe
:123qwe
,123qwe
.123qwe
/123qwe
?123qwe
~123qwe
!123qwe
%123qwe
^123qwe
*123qwe
@123qwe
Comment 2 Joey Boggs 2011-08-23 17:43:46 UTC 

rhn/proxy user/password  are now single quoted to escape the characters

Some issues with a sequence. subprocess.Popen handles sequenced args as shell arguments rather than arguments to the program being called. No reason to create a list to have it rejoined in the end as a string. Can easily fix with single quotes on user managed options that could possibly have special characters and spaces.
Comment 5 cshao 2011-08-25 10:07:37 UTC 
Created attachment 519801 [details]
ovirt.log
Comment 8 Alan Pevec 2011-08-29 21:09:13 UTC 
> No reason to create a list to have it rejoined in the end as a string.

Actually, there's a reason: list2cmdline should do proper quoting for you,
so it's best to send args as a list.
Comment 9 Joey Boggs 2011-08-30 16:42:41 UTC 
quoting around the password where we need quotes gets mangled when quotes are in the password itself all other bad characters are fine. Even escaping them ahead of time makes the situation worse. any ideas?

list2cmdline put into sample script with output

http://pastebin.test.redhat.com/59937
Comment 10 Alan Pevec 2011-08-30 21:58:13 UTC 
Not sure I understand, afaict list2cmdline does correct thing, don't escape or quote anything, just send it as a list to Popen and it will quote/escape as needed.
Comment 11 Alan Pevec 2011-08-31 16:59:34 UTC 
(In reply to comment #1)
> Below is QE summary about register RHEVH to Satellite with special character
> password:

How did you create those?
When I tried to put space in RHN Hosted it said:
Password must be ASCII and cannot contain the following special characters (") (<) (>) (space)
Comment 17 Alan Pevec 2011-09-02 02:05:52 UTC 
Created attachment 521128 [details]
fix rhn.py to quote arguments
Comment 19 Alan Pevec 2011-09-02 20:30:31 UTC 
Created attachment 521282 [details]
fix rhn.py to quote arguments
Comment 23 errata-xmlrpc 2011-12-06 19:26:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1783.html
Note You need to log in before you can comment on or make changes to this bug.