Bug #27189: Fix xml-escape
When creating XML from scratch, the user supplied values need to be escaped.
diff --git a/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/node.py b/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/node.py
index c7c82c6..e60daab 100644
--- a/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/node.py
+++ b/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/node.py
@@ -56,6 +56,7 @@ import errno
import fnmatch
import re
import random
+from xml.sax.saxutils import escape as xml_escape
try:
import xml.etree.ElementTree as ET
except ImportError:
@@ -1590,7 +1591,7 @@ def domain_snapshot_create(uri, domain, snapshot):
if dom_stat.pd.snapshots is None:
raise NodeError(_('Snapshot not supported "%(node)s"'), node=uri)
old_state = dom_stat.key()
- xml = '''%s''' % snapshot
+ xml = '''%s''' % (xml_escape(snapshot),)
s = dom.snapshotCreateXML(xml, 0)
dom_stat.update(dom)
diff --git a/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/storage.py b/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/storage.py
index a544230..cfae567 100644
--- a/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/storage.py
+++ b/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/storage.py
@@ -42,6 +42,7 @@ from protocol import Disk, Data_Pool
import os.path
import univention.config_registry as ucr
import time
+from xml.sax.saxutils import escape as xml_escape
configRegistry = ucr.ConfigRegistry()
configRegistry.load()
@@ -63,8 +64,8 @@ def create_storage_pool(conn, dir, pool_name='default'):
''' % {
- 'pool': pool_name,
- 'path': dir,
+ 'pool': xml_escape(pool_name),
+ 'path': xml_escape(dir),
}
try:
p = conn.storagePoolDefineXML(xml, 0)
@@ -127,7 +128,7 @@ def create_storage_volume(conn, domain, disk):
size = 8 << 30 # GiB
values = {
- 'name': os.path.basename(disk.source),
+ 'name': xml_escape(os.path.basename(disk.source)),
'size': size,
}
@@ -137,7 +138,7 @@ def create_storage_volume(conn, domain, disk):
pool_type = doc.firstChild.getAttribute('type')
if pool_type in ('dir', 'fs', 'netfs'):
if hasattr(disk, 'driver_type') and disk.driver_type not in (None, 'iso', 'aio'):
- values['type'] = disk.driver_type
+ values['type'] = xml_escape(disk.driver_type)
else:
values['type'] = 'raw'
# permissions