esx: Escape password for XML

Passwords are allowed to contain <, >, &, ', " characters. Those need to be replaced by the corresponding entities. Reported by Hereward Cooper.

esx: Escape password for XML
Passwords are allowed to contain <, >, &, ', " characters. Those need to be replaced by the corresponding entities. Reported by Hereward Cooper.
b31d6c12 · Matthias Bolte · d152f647 · b31d6c12 · b31d6c12 · b31d6c12
隐藏空白更改
内联并排

Showing with 43 addition and 6 deletion

src/esx/esx_driver.c src/esx/esx_driver.c +22 -6

src/esx/esx_util.c src/esx/esx_util.c +19 -0

src/esx/esx_util.h src/esx/esx_util.h +2 -0

未找到文件。
--- a/src/esx/esx_driver.c
+++ b/src/esx/esx_driver.c
@@ -626,6 +626,7 @@ esxConnectToHost(esxPrivate *priv, virConnectAuthPtr auth,
    int result = -1;
    char ipAddress[NI_MAXHOST] = "";
    char *username = NULL;
+    char *unescapedPassword = NULL;
    char *password = NULL;
    char *url = NULL;
    esxVI_String *propertyNameList = NULL;
@@ -657,13 +658,19 @@ esxConnectToHost(esxPrivate *priv, virConnectAuthPtr auth,
        }
    }

-    password = virRequestPassword(auth, username, hostname);
+    unescapedPassword = virRequestPassword(auth, username, hostname);

-    if (password == NULL) {
+    if (unescapedPassword == NULL) {
        ESX_ERROR(VIR_ERR_AUTH_FAILED, "%s", _("Password request failed"));
        goto cleanup;
    }

+    password = esxUtil_EscapeForXml(unescapedPassword);
+
+    if (password == NULL) {
+        goto cleanup;
+    }
+
    if (virAsprintf(&url, "%s://%s:%d/sdk", priv->transport, hostname,
                    port) < 0) {
        virReportOOMError();
@@ -727,8 +734,9 @@ esxConnectToHost(esxPrivate *priv, virConnectAuthPtr auth,
    result = 0;

  cleanup:
-    VIR_FREE(password);
    VIR_FREE(username);
+    VIR_FREE(unescapedPassword);
+    VIR_FREE(password);
    VIR_FREE(url);
    esxVI_String_Free(&propertyNameList);
    esxVI_ObjectContent_Free(&hostSystem);
@@ -748,6 +756,7 @@ esxConnectToVCenter(esxPrivate *priv, virConnectAuthPtr auth,
    int result = -1;
    char ipAddress[NI_MAXHOST] = "";
    char *username = NULL;
+    char *unescapedPassword = NULL;
    char *password = NULL;
    char *url = NULL;

@@ -779,13 +788,19 @@ esxConnectToVCenter(esxPrivate *priv, virConnectAuthPtr auth,
        }
    }

-    password = virRequestPassword(auth, username, hostname);
+    unescapedPassword = virRequestPassword(auth, username, hostname);

-    if (password == NULL) {
+    if (unescapedPassword == NULL) {
        ESX_ERROR(VIR_ERR_AUTH_FAILED, "%s", _("Password request failed"));
        goto cleanup;
    }

+    password = esxUtil_EscapeForXml(unescapedPassword);
+
+    if (password == NULL) {
+        goto cleanup;
+    }
+
    if (virAsprintf(&url, "%s://%s:%d/sdk", priv->transport, hostname,
                    port) < 0) {
        virReportOOMError();
@@ -822,8 +837,9 @@ esxConnectToVCenter(esxPrivate *priv, virConnectAuthPtr auth,
    result = 0;

  cleanup:
-    VIR_FREE(password);
    VIR_FREE(username);
+    VIR_FREE(unescapedPassword);
+    VIR_FREE(password);
    VIR_FREE(url);

    return result;

--- a/src/esx/esx_util.c
+++ b/src/esx/esx_util.c
@@ -552,3 +552,22 @@ esxUtil_EscapeDatastoreItem(const char *string)

    return escaped2;
 }
+
+
+
+char *
+esxUtil_EscapeForXml(const char *string)
+{
+    virBuffer buffer = VIR_BUFFER_INITIALIZER;
+
+    virBufferEscapeString(&buffer, "%s", string);
+
+    if (virBufferError(&buffer)) {
+        virReportOOMError();
+        virBufferFreeAndReset(&buffer);
+
+        return NULL;
+    }
+
+    return virBufferContentAndReset(&buffer);
+}
--- a/src/esx/esx_util.h
+++ b/src/esx/esx_util.h
@@ -62,4 +62,6 @@ void esxUtil_ReplaceSpecialWindowsPathChars(char *string);

 char *esxUtil_EscapeDatastoreItem(const char *string);

+char *esxUtil_EscapeForXml(const char *string);
+
 #endif /* __ESX_UTIL_H__ */