search for: raw_uri

...ar *uri, uint32_t allow) { - if (nbd_unlocked_aio_connect_uri (h, uri) == -1) + if (nbd_unlocked_aio_connect_uri (h, uri, allow) == -1) return -1; return wait_until_connected (h); @@ -228,7 +229,8 @@ error: #endif int -nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) +nbd_unlocked_aio_connect_uri (struct nbd_handle *h, + const char *raw_uri, uint32_t allow) { #ifdef HAVE_LIBXML2 xmlURIPtr uri = NULL; @@ -276,6 +278,31 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) goto cleanup; } + /* If...

I'm not sure whether we want to go with just the first patch (reject nbd:unix:/path but still accept nbd:/path), or squash the two in order to go with the second (reject both abbreviated forms, and require scheme://...). Either way, though, nbdkit -U - --run '$nbd' will now error out rather than inadvertently connect over TCP to localhost:10809 instead of the intended Unix connection

...compiled. Later features added to libnbd > +will not be allowed unless you recompile your program. This probably needs to call more attention to the fact that all flags means encryption will be required. > @@ -276,6 +278,31 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) > goto cleanup; > } > > + /* If the user specified the REQUIRE_TLS flag, we assume they must > + * also mean to ALLOW_TLS. > + */ > + if ((allow & LIBNBD_CONNECT_URI_REQUIRE_TLS) != 0) > + allow |= LIBNBD_CONNECT_URI_ALLOW_TLS; > + > + /* Check...

...s; + int uri_allow_tls; + bool uri_allow_local_file; + /* Global flags from the server. */ uint16_t gflags; diff --git a/lib/uri.c b/lib/uri.c index b3dfe7d..704641c 100644 --- a/lib/uri.c +++ b/lib/uri.c @@ -216,6 +216,24 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) goto cleanup; } + /* Check the transport is allowed. */ + if ((transport == tcp && + (h->uri_allow_transports & LIBNBD_ALLOW_TRANSPORT_TCP) == 0) || + (transport == unix_sock && + (h->uri_allow_transports & LIBNBD_ALLOW_TRANSPORT_UNIX) ==...

Previous discussion: https://www.redhat.com/archives/libguestfs/2019-August/msg00102.html Last night I experimentally added support for URIs that contain the query parameter tls-psk-file, as part of rewriting the tests to cover more of the URI code. So you can now have a URI like: nbds://alice@localhost/?tls-psk-file=keys.psk However there's an obvious security problem here because now

This adds coalescing of adjacent extents of the same type, as mentioned by Eric Blake in the commit message here: https://github.com/libguestfs/libnbd/commit/46072f6611f80245846a445766da071e457b00cd The patch series is rather long because it detours through adding the <vector.h> library from nbdkit into libnbd and replacing ad hoc uses of realloc, char ** etc in various places. Rich.

...RE) == -1) { fprintf (stderr, "%s\n", nbd_get_error ()); exit (EXIT_FAILURE); } diff --git a/lib/connect.c b/lib/connect.c index 5e760c6..f98bcdb 100644 --- a/lib/connect.c +++ b/lib/connect.c @@ -292,7 +292,7 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) } /* TLS */ - if (tls && nbd_unlocked_set_tls (h, 2) == -1) + if (tls && nbd_unlocked_set_tls (h, LIBNBD_TLS_REQUIRE) == -1) goto cleanup; /* XXX If uri->query_raw includes TLS parameters, we should call * nbd_unlocked_set_tls_* to match... diff --git a/tes...

...this problem is that we leave it up to the caller to sort it out. We might offer some help such as some functions to parse fields out of NBD URIs, but leave the details of validating to them. > > /* Insist on the scheme://[authority][/absname][?queries] form. */ > > if (strncmp (raw_uri + strlen (uri->scheme), "://", 3)) { > > set_error (EINVAL, "URI must begin with '%s://'", uri->scheme); > > diff --git a/tests/aio-parallel-load.c b/tests/aio-parallel-load.c > > index 614c22b..16c2aa2 100644 > > --- a/tests/aio-parall...

This largish series adds several new features to the generator. Enum maps to enumerated types (like enum in C). The only current use for this is replacing the nbd_set_tls (nbd, 0/1/2) parameter with LIBNBD_TLS_DISABLE, LIBNBD_TLS_ALLOW, LIBNBD_TLS_REQUIRE (and natural equivalents in other programming languages). Flags maps to any uint32_t bitmask. It is basically a non-optional, generalized

...floats. wined3d: Use the correct type in device_unit_free_for_vs. Sven Baars (3): kernel32: Update the Dutch translation. user32: Fix the Dutch translation. shdocvw: Add the Dutch translation. Thomas Mullaly (33): urlmon: Implemented functionality for retrieving the RAW_URI property of a IUri. include: Updated the URL_SCHEME enum. urlmon: Added a scheme name parser for the IUri interface. urlmon: Added a parser function to determine the scheme type of a URI. urlmon: Added a canonicalization function for the scheme of a URI. urlmon: Implem...