From 3815caab495ce2644eee574bb3564cddf886bebe Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Sat, 20 Dec 2014 17:46:53 +0000 Subject: [PATCH] v2v: -o libvirt: Prevent possible XPath injection. Ensure the arch string is sane before using it in the following XPath expression. Since the arch string can be derived from untrusted guest data [see src/filearch.c], this prevents a possible XPath injection vulnerability. (cherry picked from commit 6c6ce85f94c36803fe2db35a98db436bff0c14b0) --- v2v/output_libvirt.ml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/v2v/output_libvirt.ml b/v2v/output_libvirt.ml index dc9466c..7f9a3a0 100644 --- a/v2v/output_libvirt.ml +++ b/v2v/output_libvirt.ml @@ -30,9 +30,15 @@ module StringSet = Set.Make (String) let string_set_of_list = List.fold_left (fun set x -> StringSet.add x set) StringSet.empty +let arch_sanity_re = Str.regexp "^[-_A-Za-z0-9]+$" + let target_features_of_capabilities_doc doc arch = let xpathctx = Xml.xpath_new_context doc in let expr = + (* Check the arch is sane. It comes from untrusted input. This + * avoids XPath injection below. + *) + assert (Str.string_match arch_sanity_re arch 0); (* NB: Pay attention to the square brackets. This returns the * nodes! *) -- 1.8.3.1