[libvirt] [PATCH 10/11] conf: Disallow new nwfilters to use all white space as name

Mon Jul 30 18:46:47 UTC 2018

https://bugzilla.redhat.com/show_bug.cgi?id=1107420

Add a new define/create flag VIR_NWFILTER_DEF_PARSE_VALIDATE_NAME
to disallow new nwfilters to be defined/created using a name
comprised entirely of spaces.

Alter the nwfilterxml2xmltest to add a test in order to prove the
failure occurs.

Signed-off-by: John Ferlan <jferlan at redhat.com>
---
 src/conf/nwfilter_conf.c                            | 9 ++++++++-
 src/conf/nwfilter_conf.h                            | 7 +++++++
 src/nwfilter/nwfilter_driver.c                      | 3 ++-
 tests/nwfilterxml2xmlin/name-whitespace-invalid.xml | 4 ++++
 tests/nwfilterxml2xmltest.c                         | 7 ++++++-
 5 files changed, 27 insertions(+), 3 deletions(-)
 create mode 100644 tests/nwfilterxml2xmlin/name-whitespace-invalid.xml

diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
index c1867fb946..4f99f88dca 100644
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@@ -2614,7 +2614,7 @@ virNWFilterDefParseXML(xmlXPathContextPtr ctxt,
     int chain_priority;
     const char *name_prefix;
 
-    virCheckFlags(0, NULL);
+    virCheckFlags(VIR_NWFILTER_DEF_PARSE_VALIDATE_NAME, NULL);
 
     if (VIR_ALLOC(ret) < 0)
         return NULL;
@@ -2626,6 +2626,13 @@ virNWFilterDefParseXML(xmlXPathContextPtr ctxt,
         goto cleanup;
     }
 
+    if ((flags & VIR_NWFILTER_DEF_PARSE_VALIDATE_NAME) &&
+        virStringIsEmpty(ret->name)) {
+        virReportError(VIR_ERR_XML_ERROR, "%s",
+                       _("name must contain at least one non blank character"));
+        goto cleanup;
+    }
+
     chain_pri_s = virXPathString("string(./@priority)", ctxt);
     if (chain_pri_s) {
         if (virStrToLong_i(chain_pri_s, NULL, 10, &chain_priority) < 0) {
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 5ffdc07fab..2a7eabbf91 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -559,6 +559,13 @@ int
 virNWFilterDeleteDef(const char *configDir,
                      virNWFilterDefPtr def);
 
+typedef enum {
+    /* Perform extra name validation on new nwfilter names which
+     * will cause failure to parse the XML. Initially just that a
+     * name cannot be all white space. */
+    VIR_NWFILTER_DEF_PARSE_VALIDATE_NAME = 1 << 0,
+} virNWFilterDefParseFlags;
+
 virNWFilterDefPtr
 virNWFilterDefParseNode(xmlDocPtr xml,
                         xmlNodePtr root,
diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
index d850a66b28..3529dfa519 100644
--- a/src/nwfilter/nwfilter_driver.c
+++ b/src/nwfilter/nwfilter_driver.c
@@ -546,6 +546,7 @@ nwfilterDefineXML(virConnectPtr conn,
     virNWFilterObjPtr obj = NULL;
     virNWFilterDefPtr objdef;
     virNWFilterPtr nwfilter = NULL;
+    unsigned int parse_flags = VIR_NWFILTER_DEF_PARSE_VALIDATE_NAME;
 
     if (!driver->privileged) {
         virReportError(VIR_ERR_OPERATION_INVALID, "%s",
@@ -556,7 +557,7 @@ nwfilterDefineXML(virConnectPtr conn,
     nwfilterDriverLock();
     virNWFilterWriteLockFilterUpdates();
 
-    if (!(def = virNWFilterDefParseString(xml, 0)))
+    if (!(def = virNWFilterDefParseString(xml, parse_flags)))
         goto cleanup;
 
     if (virNWFilterDefineXMLEnsureACL(conn, def) < 0)
diff --git a/tests/nwfilterxml2xmlin/name-whitespace-invalid.xml b/tests/nwfilterxml2xmlin/name-whitespace-invalid.xml
new file mode 100644
index 0000000000..452847ae93
--- /dev/null
+++ b/tests/nwfilterxml2xmlin/name-whitespace-invalid.xml
@@ -0,0 +1,4 @@
+<filter name=' '>
+  <uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid>
+  <filterref filter=' '/>
+</filter>
diff --git a/tests/nwfilterxml2xmltest.c b/tests/nwfilterxml2xmltest.c
index 0c79afa8ee..de63ab1a91 100644
--- a/tests/nwfilterxml2xmltest.c
+++ b/tests/nwfilterxml2xmltest.c
@@ -26,11 +26,14 @@ testCompareXMLToXMLFiles(const char *inxml, const char *outxml,
     char *actual = NULL;
     int ret = -1;
     virNWFilterDefPtr dev = NULL;
+    unsigned int parse_flags = VIR_NWFILTER_DEF_PARSE_VALIDATE_NAME;
 
     virResetLastError();
 
-    if (!(dev = virNWFilterDefParseFile(inxml, 0))) {
+    if (!(dev = virNWFilterDefParseFile(inxml, parse_flags))) {
         if (expect_error) {
+            VIR_TEST_DEBUG("Got expected parse failure msg='%s'",
+                           virGetLastErrorMessage());
             virResetLastError();
             goto done;
         }
@@ -149,6 +152,8 @@ mymain(void)
 
     DO_TEST("ipset-test", false);
 
+    DO_TEST("name-whitespace-invalid", true);
+
     return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
 }
 
-- 
2.17.1


