Bug 732429 - fix rhn.py to quote arguments
Summary: fix rhn.py to quote arguments
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ovirt-node
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Alan Pevec
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 728234
TreeView+ depends on / blocked
 
Reported: 2011-08-22 12:58 UTC by Andrew Cathrow
Modified: 2016-04-26 15:21 UTC (History)
13 users (show)

Fixed In Version: ovirt-node-2.0.2-0.3.gitcf213a7.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 19:26:27 UTC


Attachments (Terms of Use)
ovirt.log (13.48 KB, text/plain)
2011-08-25 10:07 UTC, cshao
no flags Details
fix rhn.py to quote arguments (4.11 KB, patch)
2011-09-02 02:05 UTC, Alan Pevec
no flags Details | Diff
fix rhn.py to quote arguments (4.12 KB, patch)
2011-09-02 20:30 UTC, Alan Pevec
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1783 normal SHIPPED_LIVE rhev-hypervisor6 bug fix and enhancement update 2011-12-06 15:10:54 UTC

Description Andrew Cathrow 2011-08-22 12:58:41 UTC
Alan - as per rhev-devel email. Reported during beta

rhn.py uses string instead of sequence for args in subprocess.Popen which can lead to errors w.r.t. string escaping.

Comment 1 cshao 2011-08-23 07:27:37 UTC
Below is QE summary about register RHEVH to Satellite with special character password:
Fail:
(123qwe
)123qwe
;123qwe
"123qwe
<123qwe
">123qwe"
123 qwe(there is blank)
#123qwe
$123qwe
&123qwe

Pass:
[123qwe
]123qwe 
{123qwe
}123qwe
:123qwe
,123qwe
.123qwe
/123qwe
?123qwe
~123qwe
!123qwe
%123qwe
^123qwe
*123qwe
@123qwe

Comment 2 Joey Boggs 2011-08-23 17:43:46 UTC

rhn/proxy user/password  are now single quoted to escape the characters

Some issues with a sequence. subprocess.Popen handles sequenced args as shell arguments rather than arguments to the program being called. No reason to create a list to have it rejoined in the end as a string. Can easily fix with single quotes on user managed options that could possibly have special characters and spaces.

Comment 5 cshao 2011-08-25 10:07:37 UTC
Created attachment 519801 [details]
ovirt.log

Comment 8 Alan Pevec 2011-08-29 21:09:13 UTC
> No reason to create a list to have it rejoined in the end as a string.

Actually, there's a reason: list2cmdline should do proper quoting for you,
so it's best to send args as a list.

Comment 9 Joey Boggs 2011-08-30 16:42:41 UTC
quoting around the password where we need quotes gets mangled when quotes are in the password itself all other bad characters are fine. Even escaping them ahead of time makes the situation worse. any ideas?

list2cmdline put into sample script with output

http://pastebin.test.redhat.com/59937

Comment 10 Alan Pevec 2011-08-30 21:58:13 UTC
Not sure I understand, afaict list2cmdline does correct thing, don't escape or quote anything, just send it as a list to Popen and it will quote/escape as needed.

Comment 11 Alan Pevec 2011-08-31 16:59:34 UTC
(In reply to comment #1)
> Below is QE summary about register RHEVH to Satellite with special character
> password:

How did you create those?
When I tried to put space in RHN Hosted it said:
Password must be ASCII and cannot contain the following special characters (") (<) (>) (space)

Comment 17 Alan Pevec 2011-09-02 02:05:52 UTC
Created attachment 521128 [details]
fix rhn.py to quote arguments

Comment 19 Alan Pevec 2011-09-02 20:30:31 UTC
Created attachment 521282 [details]
fix rhn.py to quote arguments

Comment 23 errata-xmlrpc 2011-12-06 19:26:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1783.html


Note You need to log in before you can comment on or make changes to this bug.