[pve-devel] [PATCH firewall] prevent overwriting ipsets/sec. groups by renaming

Dominik Csapak d.csapak at proxmox.com
Fri Jun 3 16:11:27 CEST 2016


we did not check if the target name of the group/ipset
already existed, so we overwrote them

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
 src/PVE/API2/Firewall/Groups.pm | 5 +++++
 src/PVE/API2/Firewall/IPSet.pm  | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/src/PVE/API2/Firewall/Groups.pm b/src/PVE/API2/Firewall/Groups.pm
index 99ea418..dfc181c 100644
--- a/src/PVE/API2/Firewall/Groups.pm
+++ b/src/PVE/API2/Firewall/Groups.pm
@@ -101,6 +101,11 @@ __PACKAGE__->register_method({
 	    raise_param_exc({ group => "Security group '$param->{rename}' does not exists" }) 
 		if !$cluster_conf->{groups}->{$param->{rename}};
 
+	    # prevent overwriting an existing group
+	    raise_param_exc({ group => "Security group '$param->{group}' does already exist" })
+		if $cluster_conf->{groups}->{$param->{group}} &&
+		$param->{group} ne $param->{rename};
+
 	    my $data = delete $cluster_conf->{groups}->{$param->{rename}};
 	    $cluster_conf->{groups}->{$param->{group}} = $data;
 	    if (my $comment = delete $cluster_conf->{group_comments}->{$param->{rename}}) {
diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index 1266fd1..6129c9d 100644
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -587,6 +587,11 @@ sub register_create {
 		raise_param_exc({ name => "IPSet '$param->{rename}' does not exists" }) 
 		    if !$fw_conf->{ipset}->{$param->{rename}};
 
+		# prevent overwriting existing ipset
+		raise_param_exc({ name => "IPSet '$param->{name}' does already exist"})
+		    if $fw_conf->{ipset}->{$param->{name}} &&
+		    $param->{name} ne $param->{rename};
+
 		my $data = delete $fw_conf->{ipset}->{$param->{rename}};
 		$fw_conf->{ipset}->{$param->{name}} = $data;
 		if (my $comment = delete $fw_conf->{ipset_comments}->{$param->{rename}}) {
-- 
2.1.4





More information about the pve-devel mailing list