As reported in the community forum [0], when a remote migration request comes in via an API client, the -T flag for Perl is set, so an insecure dependency in a call like unlink() in forward_unix_socket() will fail with:
> failed to write forwarding command - Insecure dependency in unlink while > running with -T switch To fix it, untaint the problematic socket addresses coming from the remote side. Require that all sockets are below '/run/qemu-server/' and end with '.migrate'. This allows extensions in the future while still being quite strict. [0]: https://forum.proxmox.com/threads/123048/post-691958 Signed-off-by: Fiona Ebner <f.eb...@proxmox.com> --- Changes in v2: * rule out '../' in path PVE/QemuMigrate.pm | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/PVE/QemuMigrate.pm b/PVE/QemuMigrate.pm index e71face4..d31589e7 100644 --- a/PVE/QemuMigrate.pm +++ b/PVE/QemuMigrate.pm @@ -1095,7 +1095,10 @@ sub phase2 { die "only UNIX sockets are supported for remote migration\n" if $tunnel_info->{proto} ne 'unix'; - my $remote_socket = $tunnel_info->{addr}; + # untaint + my ($remote_socket) = + $tunnel_info->{addr} =~ m|^(/run/qemu-server/(?:(?!\.\./).)+\.migrate)$|; + die "unexpected socket address '$tunnel_info->{addr}'\n" if !$remote_socket; my $local_socket = $remote_socket; $local_socket =~ s/$remote_vmid/$vmid/g; $tunnel_info->{addr} = $local_socket; @@ -1104,6 +1107,9 @@ sub phase2 { PVE::Tunnel::forward_unix_socket($self->{tunnel}, $local_socket, $remote_socket); foreach my $remote_socket (@{$tunnel_info->{unix_sockets}}) { + # untaint + ($remote_socket) = $remote_socket =~ m|^(/run/qemu-server/(?:(?!\.\./).)+\.migrate)$| + or die "unexpected socket address '$remote_socket'\n"; my $local_socket = $remote_socket; $local_socket =~ s/$remote_vmid/$vmid/g; next if $self->{tunnel}->{forwarded}->{$local_socket}; -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
