remote migration: fix online migration via API clients

As reported in the community forum [0], when a remote migration
request comes in via an API client, the -T flag for Perl is set, so an
insecure dependency in a call like unlink() in forward_unix_socket()
will fail with:

> failed to write forwarding command - Insecure dependency in unlink while running with -T switch

To fix it, untaint the problematic socket addresses coming from the
remote side. Require that all sockets are below '/run/qemu-server/'
and end with '.migrate' with the main socket being matched more
strictly. This allows extensions in the future while still being quite
strict.

[0]: https://forum.proxmox.com/threads/123048/post-691958

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>

diff --git a/PVE/QemuMigrate.pm b/PVE/QemuMigrate.pm
index e71face453ec36f5a80d2583f35b90a7fbd9bbbd..6591f3f75405bf30fb3ded42ed3bb5e699727bb7 100644 (file)
--- a/PVE/QemuMigrate.pm
+++ b/PVE/QemuMigrate.pm
@@ -1095,7 +1095,9 @@ sub phase2 {
        die "only UNIX sockets are supported for remote migration\n"
            if $tunnel_info->{proto} ne 'unix';
 
-       my $remote_socket = $tunnel_info->{addr};
+       # untaint
+       my ($remote_socket) = $tunnel_info->{addr} =~ m|^(/run/qemu-server/\d+\.migrate)$|
+           or die "unexpected socket address '$tunnel_info->{addr}'\n";
        my $local_socket = $remote_socket;
        $local_socket =~ s/$remote_vmid/$vmid/g;
        $tunnel_info->{addr} = $local_socket;
@@ -1104,6 +1106,9 @@ sub phase2 {
        PVE::Tunnel::forward_unix_socket($self->{tunnel}, $local_socket, $remote_socket);
 
        foreach my $remote_socket (@{$tunnel_info->{unix_sockets}}) {
+           # untaint
+           ($remote_socket) = $remote_socket =~ m|^(/run/qemu-server/(?:(?!\.\./).)+\.migrate)$|
+               or die "unexpected socket address '$remote_socket'\n";
            my $local_socket = $remote_socket;
            $local_socket =~ s/$remote_vmid/$vmid/g;
            next if $self->{tunnel}->{forwarded}->{$local_socket};