feature #1112: Fix unsafe eval in xpath.rb by joining values with \0

src/datastore_mad/remotes/fs/cp

@@ -21,7 +21,7 @@
 # Several SRC types are supported
 ###############################################################################
 
-# -------- Set up the environment to source common tools & conf ------------ 
+# -------- Set up the environment to source common tools & conf ------------
 
 if [ -z "${ONE_LOCATION}" ]; then
     LIB_LOCATION=/usr/lib/one
@@ -34,7 +34,7 @@ fi
 DRIVER_PATH=$(dirname $0)
 source ${DRIVER_PATH}/../libfs.sh
 
-# -------- Get cp and datastore arguments from OpenNebula core ------------ 
+# -------- Get cp and datastore arguments from OpenNebula core ------------
 
 DRV_ACTION=$1
 ID=$2
@@ -42,11 +42,11 @@ ID=$2
 set_up_datastore $DRV_ACTION
 
 XPATH="${DRIVER_PATH}/../xpath.rb -b $DRV_ACTION"
-eval "SRC=`$XPATH /DS_DRIVER_ACTION_DATA/IMAGE/PATH`"
+SRC=`$XPATH /DS_DRIVER_ACTION_DATA/IMAGE/PATH`
 
 DST=`generate_image_path`
 
-# ------------ Copy the image to the repository ------------- 
+# ------------ Copy the image to the repository -------------
 
 case $SRC in
 http://*)
@@ -63,9 +63,9 @@ http://*)
         error_message "Not allowed to copy image file $SRC"
         exit -1
     fi
-    
+
     log "Copying local image $SRC to the image repository"
-    
+
     exec_and_log "cp -f $SRC $DST" "Error copying $SRC to $DST"
 
     exec_and_log "chmod 0660 $DST"

src/datastore_mad/remotes/fs/mkfs

@@ -21,7 +21,7 @@
 # as (FS)
 ###############################################################################
 
-# -------- Set up the environment to source common tools & conf ------------ 
+# -------- Set up the environment to source common tools & conf ------------
 
 if [ -z "${ONE_LOCATION}" ]; then
     LIB_LOCATION=/usr/lib/one
@@ -34,16 +34,22 @@ fi
 DRIVER_PATH=$(dirname $0)
 source ${DRIVER_PATH}/../libfs.sh
 
-# -------- Get mkfs and datastore arguments from OpenNebula core ------------ 
+# -------- Get mkfs and datastore arguments from OpenNebula core ------------
 
 DRV_ACTION=$1
 ID=$2
 
 set_up_datastore $DRV_ACTION
 
-XPATH="${DRIVER_PATH}/../xpath.rb -b $DRV_ACTION"
-eval "FSTYPE=`$XPATH /DS_DRIVER_ACTION_DATA/IMAGE/FSTYPE`"
-eval "SIZE=`$XPATH /DS_DRIVER_ACTION_DATA/IMAGE/SIZE`"
+unset i XPATH_ELEMENTS
+
+while IFS= read -r -d '' element; do
+    XPATH_ELEMENTS[i++]="$element"
+done < <($XPATH     /DS_DRIVER_ACTION_DATA/IMAGE/FSTYPE \
+                    /DS_DRIVER_ACTION_DATA/IMAGE/SIZE)
+
+FSTYPE="${XPATH_ELEMENTS[0]}"
+SIZE="${XPATH_ELEMENTS[1]}"
 
 DST=`generate_image_path`
 

src/datastore_mad/remotes/fs/rm

@@ -17,10 +17,10 @@
 #--------------------------------------------------------------------------- #
 
 ###############################################################################
-# This script is used to remove a VM image (SRC) from the image repository 
+# This script is used to remove a VM image (SRC) from the image repository
 ###############################################################################
 
-# ------------ Set up the environment to source common tools ------------ 
+# ------------ Set up the environment to source common tools ------------
 
 if [ -z "${ONE_LOCATION}" ]; then
     LIB_LOCATION=/usr/lib/one
@@ -33,15 +33,15 @@ fi
 DRIVER_PATH=$(dirname $0)
 source ${DRIVER_PATH}/../libfs.sh
 
-# -------- Get rm and datastore arguments from OpenNebula core ------------ 
+# -------- Get rm and datastore arguments from OpenNebula core ------------
 
 DRV_ACTION=$1
 ID=$2
 
 XPATH="${DRIVER_PATH}/../xpath.rb -b $DRV_ACTION"
-eval "SRC=`$XPATH /DS_DRIVER_ACTION_DATA/IMAGE/SOURCE`"
+SRC=`$XPATH /DS_DRIVER_ACTION_DATA/IMAGE/SOURCE`
 
-# ------------ Remove the image from the repository ------------ 
+# ------------ Remove the image from the repository ------------
 
 if [ -e $SRC ] ; then
     log "Removing $SRC from the image repository"

src/datastore_mad/remotes/vmware/cp

@@ -21,7 +21,7 @@
 # Several SRC types are supported
 ###############################################################################
 
-# -------- Set up the environment to source common tools & conf ------------ 
+# -------- Set up the environment to source common tools & conf ------------
 
 if [ -z "${ONE_LOCATION}" ]; then
     LIB_LOCATION=/usr/lib/one
@@ -34,7 +34,7 @@ fi
 DRIVER_PATH=$(dirname $0)
 source ${DRIVER_PATH}/../libfs.sh
 
-# -------- Get cp and datastore arguments from OpenNebula core ------------ 
+# -------- Get cp and datastore arguments from OpenNebula core ------------
 
 DRV_ACTION=$1
 ID=$2
@@ -42,11 +42,11 @@ ID=$2
 set_up_datastore $DRV_ACTION
 
 XPATH="${DRIVER_PATH}/../xpath.rb -b $DRV_ACTION"
-eval "SRC=`$XPATH /DS_DRIVER_ACTION_DATA/IMAGE/PATH`"
+SRC=`$XPATH /DS_DRIVER_ACTION_DATA/IMAGE/PATH`
 
 DST=`generate_image_path`
 
-# ------------ Copy the image to the repository ------------- 
+# ------------ Copy the image to the repository -------------
 
 case $SRC in
 http://*)

src/datastore_mad/remotes/vmware/mkfs

@@ -21,7 +21,7 @@
 # as (FS)
 ###############################################################################
 
-# -------- Set up the environment to source common tools & conf ------------ 
+# -------- Set up the environment to source common tools & conf ------------
 
 if [ -z "${ONE_LOCATION}" ]; then
     LIB_LOCATION=/usr/lib/one
@@ -34,7 +34,7 @@ fi
 DRIVER_PATH=$(dirname $0)
 source ${DRIVER_PATH}/../libfs.sh
 
-# -------- Get mkfs and datastore arguments from OpenNebula core ------------ 
+# -------- Get mkfs and datastore arguments from OpenNebula core ------------
 
 DRV_ACTION=$1
 ID=$2
@@ -42,8 +42,16 @@ ID=$2
 set_up_datastore $DRV_ACTION
 
 XPATH="${DRIVER_PATH}/../xpath.rb -b $DRV_ACTION"
-eval "FSTYPE=`$XPATH /DS_DRIVER_ACTION_DATA/IMAGE/FSTYPE`"
-eval "SIZE=`$XPATH /DS_DRIVER_ACTION_DATA/IMAGE/SIZE`"
+
+unset i XPATH_ELEMENTS
+
+while IFS= read -r -d '' element; do
+    XPATH_ELEMENTS[i++]="$element"
+done < <($XPATH     /DS_DRIVER_ACTION_DATA/IMAGE/FSTYPE \
+                    /DS_DRIVER_ACTION_DATA/IMAGE/SIZE)
+
+FSTYPE="${XPATH_ELEMENTS[0]}"
+SIZE="${XPATH_ELEMENTS[1]}"
 
 DST=`generate_image_path`
 

src/datastore_mad/remotes/vmware/rm

@@ -17,10 +17,10 @@
 #--------------------------------------------------------------------------- #
 
 ###############################################################################
-# This script is used to remove a VM image (SRC) from the image repository 
+# This script is used to remove a VM image (SRC) from the image repository
 ###############################################################################
 
-# ------------ Set up the environment to source common tools ------------ 
+# ------------ Set up the environment to source common tools ------------
 
 if [ -z "${ONE_LOCATION}" ]; then
     LIB_LOCATION=/usr/lib/one
@@ -33,15 +33,15 @@ fi
 DRIVER_PATH=$(dirname $0)
 source ${DRIVER_PATH}/../libfs.sh
 
-# -------- Get rm and datastore arguments from OpenNebula core ------------ 
+# -------- Get rm and datastore arguments from OpenNebula core ------------
 
 DRV_ACTION=$1
 ID=$2
 
 XPATH="${DRIVER_PATH}/../xpath.rb -b $DRV_ACTION"
-eval "SRC=`$XPATH /DS_DRIVER_ACTION_DATA/IMAGE/SOURCE`"
+SRC=`$XPATH /DS_DRIVER_ACTION_DATA/IMAGE/SOURCE`
 
-# ------------ Remove the image from the repository ------------ 
+# ------------ Remove the image from the repository ------------
 
 if [ -e $SRC ] ; then
     log "Removing $SRC from the image repository"

src/datastore_mad/remotes/xpath.rb

@@ -45,10 +45,11 @@ values = ""
 tmp = Base64::decode64(tmp64)
 xml = REXML::Document.new(tmp).root
 
-ARGV.each { |xpath|
+ARGV.each do |xpath|
 	element = xml.elements[xpath]
-	values  << "\'#{element.text}\' " if !element.nil?
-}
+    values << element.text if !element.nil?
+    values << "\0"
+end
 
 puts values