Prevent file injection writing to host filesystem.

Fix bug 1015531, CVE-2012-3360, CVE-2012-3361

This patch prevents the file injection code from writing into the host
filesystem if a user specifies a path for the injected file that
contains '..'.  The check is to make sure that the final normalized path
that is about to be written to is within the mounted guest filesystem.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Pádraig Brady <pbrady@redhat.com>
Signed-off-by: Mark McLoughlin <markmc@redhat.com>

Change-Id: I658cd12fd319cee91eb9544cdf53c862c5d2c560

nova/tests/test_virt.py

@@ -15,8 +15,10 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from nova import exception
 from nova import flags
 from nova import test
+from nova.virt.disk import api as disk_api
 from nova.virt import driver
 
 FLAGS = flags.FLAGS
@@ -81,3 +83,21 @@ class TestVirtDriver(test.TestCase):
                                                 'swap_size': 0}))
         self.assertTrue(driver.swap_is_usable({'device_name': '/dev/sdb',
                                                 'swap_size': 1}))
+
+
+class TestVirtDisk(test.TestCase):
+    def test_check_safe_path(self):
+        ret = disk_api._join_and_check_path_within_fs('/foo', 'etc',
+                                                      'something.conf')
+        self.assertEquals(ret, '/foo/etc/something.conf')
+
+    def test_check_unsafe_path(self):
+        self.assertRaises(exception.Invalid,
+                          disk_api._join_and_check_path_within_fs,
+                          '/foo', 'etc/../../../something.conf')
+
+    def test_inject_files_with_bad_path(self):
+        self.assertRaises(exception.Invalid,
+                          disk_api._inject_file_into_fs,
+                          '/tmp', '/etc/../../../../etc/passwd',
+                          'hax')