0410a35
From 22c173192bb0dc189d8db84bbe8f0555b071f731 Mon Sep 17 00:00:00 2001
0410a35
From: Tomas Jelinek <tojeline@redhat.com>
0410a35
Date: Thu, 3 Sep 2015 17:14:05 +0200
0410a35
Subject: [PATCH] fixed command injection vulnerability
0410a35
0410a35
---
0410a35
 pcsd/fenceagent.rb | 18 ++++++++++++------
0410a35
 pcsd/remote.rb     |  1 +
0410a35
 pcsd/resource.rb   | 11 ++++++-----
0410a35
 3 files changed, 19 insertions(+), 11 deletions(-)
0410a35
0410a35
diff --git a/pcsd/fenceagent.rb b/pcsd/fenceagent.rb
0410a35
index 8b37147..c348597 100644
0410a35
--- a/pcsd/fenceagent.rb
0410a35
+++ b/pcsd/fenceagent.rb
0410a35
@@ -18,12 +18,6 @@ def getFenceAgents(fence_agent = nil)
0410a35
 end
0410a35
 
0410a35
 def getFenceAgentMetadata(fenceagentname)
0410a35
-  # There are bugs in stonith_admin & the new fence_agents interaction
0410a35
-  # eventually we'll want to switch back to this, but for now we directly
0410a35
-  # call the agent to get metadata
0410a35
-  #metadata = `stonith_admin --metadata -a #{fenceagentname}`
0410a35
-  metadata = `/usr/sbin/#{fenceagentname} -o metadata`
0410a35
-  doc = REXML::Document.new(metadata)
0410a35
   options_required = {}
0410a35
   options_optional = {}
0410a35
   options_advanced = {
0410a35
@@ -39,6 +33,18 @@ def getFenceAgentMetadata(fenceagentname)
0410a35
     options_advanced["pcmk_" + a + "_timeout"] = ""
0410a35
     options_advanced["pcmk_" + a + "_retries"] = ""
0410a35
   end
0410a35
+  # There are bugs in stonith_admin & the new fence_agents interaction
0410a35
+  # eventually we'll want to switch back to this, but for now we directly
0410a35
+  # call the agent to get metadata
0410a35
+  #metadata = `stonith_admin --metadata -a #{fenceagentname}`
0410a35
+  if not fenceagentname.start_with?('fence_') or fenceagentname.include?('/')
0410a35
+    return [options_required, options_optional, options_advanced]
0410a35
+  end
0410a35
+  stdout, stderr, retval = run_cmd(
0410a35
+    "/usr/sbin/#{fenceagentname}", '-o', 'metadata'
0410a35
+  )
0410a35
+  doc = REXML::Document.new(stdout.join)
0410a35
+
0410a35
   doc.elements.each('resource-agent/parameters/parameter') { |param|
0410a35
     temp_array = []
0410a35
     if param.elements["shortdesc"]
0410a35
diff --git a/pcsd/remote.rb b/pcsd/remote.rb
0410a35
index fe4a5d9..b3eca7e 100644
0410a35
--- a/pcsd/remote.rb
0410a35
+++ b/pcsd/remote.rb
0410a35
@@ -840,6 +840,7 @@ def resource_metadata (params)
0410a35
   return 200 if not params[:resourcename] or params[:resourcename] == ""
0410a35
   resource_name = params[:resourcename][params[:resourcename].rindex(':')+1..-1]
0410a35
   class_provider = params[:resourcename][0,params[:resourcename].rindex(':')]
0410a35
+  return [400, 'Invalid resource agent name'] if resource_name.include?('/')
0410a35
 
0410a35
   @resource = ResourceAgent.new(params[:resourcename])
0410a35
   if class_provider == "ocf:heartbeat"
0410a35
diff --git a/pcsd/resource.rb b/pcsd/resource.rb
0410a35
index 387e791..4e159f8 100644
0410a35
--- a/pcsd/resource.rb
0410a35
+++ b/pcsd/resource.rb
0410a35
@@ -103,11 +103,12 @@ def getResourceOptions(resource_id,stonith=false)
0410a35
 
0410a35
   ret = {}
0410a35
   if stonith
0410a35
-    resource_options = `#{PCS} stonith show #{resource_id}`
0410a35
+    command = [PCS, 'stonith', 'show', resource_id]
0410a35
   else
0410a35
-    resource_options = `#{PCS} resource show #{resource_id}`
0410a35
+    command = [PCS, 'resource', 'show', resource_id]
0410a35
   end
0410a35
-  resource_options.each_line { |line|
0410a35
+  stdout, stderr, retval = run_cmd(*command)
0410a35
+  stdout.each { |line|
0410a35
     keyval = line.strip.split(/: /,2)
0410a35
     if keyval[0] == "Attributes" then
0410a35
       options = keyval[1].split(/ /)
0410a35
@@ -281,8 +282,8 @@ end
0410a35
 
0410a35
 def getResourceMetadata(resourcepath)
0410a35
   ENV['OCF_ROOT'] = OCF_ROOT
0410a35
-  metadata = `#{resourcepath} meta-data`
0410a35
-  doc = REXML::Document.new(metadata)
0410a35
+  stdout, stderr, retval = run_cmd(resourcepath, 'meta-data')
0410a35
+  doc = REXML::Document.new(stdout.join)
0410a35
   options_required = {}
0410a35
   options_optional = {}
0410a35
   long_desc = ""
0410a35
-- 
0410a35
1.9.1
0410a35