proxmox-mirrors/qemu-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/qemu-server synced 2025-07-04 17:07:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

api: check untrusted image files for import content type

Browse Source 
check to be imported files for external references if they are of
content type 'import'.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
Dominik Csapak 2024-11-18 16:29:19 +01:00 committed by Thomas Lamprecht
parent 95ae60c8a4
commit 78f7050482
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
PVE/API2/Qemu.pm
View File

@ -440,6 +440,7 @@ my sub create_disks : prototype($$$$$$$$$$$) {
my ($vtype, undef, undef, undef, undef, undef, $fmt) my ($vtype, undef, undef, undef, undef, undef, $fmt)
= PVE::Storage::parse_volname($storecfg, $source); = PVE::Storage::parse_volname($storecfg, $source);
my $needs_extraction = PVE::QemuServer::Helpers::needs_extraction($vtype, $fmt); my $needs_extraction = PVE::QemuServer::Helpers::needs_extraction($vtype, $fmt);
my $untrusted = $vtype eq 'import' ? 1 : 0;
if ($needs_extraction) { if ($needs_extraction) {
print "extracting $source\n"; print "extracting $source\n";
my $extracted_volid = PVE::GuestImport::extract_disk_from_import_file( my $extracted_volid = PVE::GuestImport::extract_disk_from_import_file(
@ -457,7 +458,8 @@ my sub create_disks : prototype($$$$$$$$$$$) {
if ($live_import && $ds ne 'efidisk0') { if ($live_import && $ds ne 'efidisk0') {
my $path = PVE::Storage::path($storecfg, $source) my $path = PVE::Storage::path($storecfg, $source)
or die "failed to get a path for '$source'\n"; or die "failed to get a path for '$source'\n";
($size, my $source_format) = PVE::Storage::file_size_info($path); #·check·potentially·untrusted·image·file·for·import·vtype
($size, my $source_format) = PVE::Storage::file_size_info($path, undef, $untrusted);
die "could not get file size of $path\n" if !$size; die "could not get file size of $path\n" if !$size;
$live_import_mapping->{$ds} = { $live_import_mapping->{$ds} = {
path => $path, path => $path,
@ -466,6 +468,12 @@ my sub create_disks : prototype($$$$$$$$$$$) {
$live_import_mapping->{$ds}->{'delete-after-finish'} = $source $live_import_mapping->{$ds}->{'delete-after-finish'} = $source
if $needs_extraction; if $needs_extraction;
} else { } else {
# check potentially untrusted image file for import vtype
if ($untrusted) {
my $path = PVE::Storage::path($storecfg, $source);
PVE::Storage::file_size_info($path, undef, 1);
}
my $dest_info = { my $dest_info = {
vmid => $vmid, vmid => $vmid,
drivename => $ds, drivename => $ds,