esx: Escape password for XML

Passwords are allowed to contain <, >, &, ', " characters. Those need to be replaced by the corresponding entities. Reported by Hereward Cooper.
2025-01-22 12:35:17 +00:00 · 2011-03-03 22:11:24 +01:00 · 2011-03-03 22:11:24 +01:00 · b31d6c1269
commit b31d6c1269
parent d152f64760
3 changed files with 43 additions and 6 deletions
--- a/src/esx/esx_driver.c
+++ b/src/esx/esx_driver.c
@ -626,6 +626,7 @@ esxConnectToHost(esxPrivate *priv, virConnectAuthPtr auth,
    int result = -1;
    char ipAddress[NI_MAXHOST] = "";
    char *username = NULL;
+    char *unescapedPassword = NULL;
    char *password = NULL;
    char *url = NULL;
    esxVI_String *propertyNameList = NULL;
@ -657,10 +658,16 @@ esxConnectToHost(esxPrivate *priv, virConnectAuthPtr auth,
        }
    }

-    password = virRequestPassword(auth, username, hostname);
+    unescapedPassword = virRequestPassword(auth, username, hostname);
+
+    if (unescapedPassword == NULL) {
+        ESX_ERROR(VIR_ERR_AUTH_FAILED, "%s", _("Password request failed"));
+        goto cleanup;
+    }
+
+    password = esxUtil_EscapeForXml(unescapedPassword);

    if (password == NULL) {
-        ESX_ERROR(VIR_ERR_AUTH_FAILED, "%s", _("Password request failed"));
        goto cleanup;
    }

@ -727,8 +734,9 @@ esxConnectToHost(esxPrivate *priv, virConnectAuthPtr auth,
    result = 0;

  cleanup:
-    VIR_FREE(password);
    VIR_FREE(username);
+    VIR_FREE(unescapedPassword);
+    VIR_FREE(password);
    VIR_FREE(url);
    esxVI_String_Free(&propertyNameList);
    esxVI_ObjectContent_Free(&hostSystem);
@ -748,6 +756,7 @@ esxConnectToVCenter(esxPrivate *priv, virConnectAuthPtr auth,
    int result = -1;
    char ipAddress[NI_MAXHOST] = "";
    char *username = NULL;
+    char *unescapedPassword = NULL;
    char *password = NULL;
    char *url = NULL;

@ -779,10 +788,16 @@ esxConnectToVCenter(esxPrivate *priv, virConnectAuthPtr auth,
        }
    }

-    password = virRequestPassword(auth, username, hostname);
+    unescapedPassword = virRequestPassword(auth, username, hostname);
+
+    if (unescapedPassword == NULL) {
+        ESX_ERROR(VIR_ERR_AUTH_FAILED, "%s", _("Password request failed"));
+        goto cleanup;
+    }
+
+    password = esxUtil_EscapeForXml(unescapedPassword);

    if (password == NULL) {
-        ESX_ERROR(VIR_ERR_AUTH_FAILED, "%s", _("Password request failed"));
        goto cleanup;
    }

@ -822,8 +837,9 @@ esxConnectToVCenter(esxPrivate *priv, virConnectAuthPtr auth,
    result = 0;

  cleanup:
-    VIR_FREE(password);
    VIR_FREE(username);
+    VIR_FREE(unescapedPassword);
+    VIR_FREE(password);
    VIR_FREE(url);

    return result;
--- a/src/esx/esx_util.c
+++ b/src/esx/esx_util.c
@ -552,3 +552,22 @@ esxUtil_EscapeDatastoreItem(const char *string)

    return escaped2;
 }
+
+
+
+char *
+esxUtil_EscapeForXml(const char *string)
+{
+    virBuffer buffer = VIR_BUFFER_INITIALIZER;
+
+    virBufferEscapeString(&buffer, "%s", string);
+
+    if (virBufferError(&buffer)) {
+        virReportOOMError();
+        virBufferFreeAndReset(&buffer);
+
+        return NULL;
+    }
+
+    return virBufferContentAndReset(&buffer);
+}
--- a/src/esx/esx_util.h
+++ b/src/esx/esx_util.h
@ -62,4 +62,6 @@ void esxUtil_ReplaceSpecialWindowsPathChars(char *string);

 char *esxUtil_EscapeDatastoreItem(const char *string);

+char *esxUtil_EscapeForXml(const char *string);
+
 #endif /* __ESX_UTIL_H__ */