imgedit.py: do not open a port to the entire world

Since commit 464f4e0, imgedit.py opens runs qemu-nbd on a random port, but qemu-nbd needlessly listens to all interfaces - including potentially to connections from the outside world. While the practical risk is minimal (imgedit.py runs for very short duration), there is no need to take it at all - qemu-nbd should only listen to the 127.0.0.1 interface (see issue #709). And in turn, imgedit.py should contact 127.0.0.1 and not rely on the alias "localhost" working for ipv4 (see issue #534). Signed-off-by: Nadav Har'El <[email protected]> Message-Id: <[email protected]>
cloudius-systems · May 27, 2019 · e37d8ed · e37d8ed
1 parent 5deec8f
commit e37d8ed
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/scripts/imgedit.py b/scripts/imgedit.py
@@ -59,11 +59,11 @@ def __init__(self, filename):
         self._buf = None
         self._closed = True
         nbd_port = randint(10809, 20809)
-        self._process = subprocess.Popen(["qemu-nbd", "-p", str(nbd_port)] + fileformat + [filename], shell=False, stdout=_devnull)
+        self._process = subprocess.Popen(["qemu-nbd", "-b", "127.0.0.1", "-p", str(nbd_port)] + fileformat + [filename], shell=False, stdout=_devnull)
         # wait for qemu-nbd to start: this thing doesn't tell anything on stdout
         while True:
             try:
-                self._client = nbd_client("localhost", nbd_port)
+                self._client = nbd_client("127.0.0.1", nbd_port)
                 break
             except:
                 if self._process.poll() != None: