From e1a2f8dcb283ed7869deee48b38eaf1e8ce79622 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Tue, 23 Feb 2021 14:27:52 +0100
Subject: [PATCH] Enable autoescape in libvirt xml template

This avoids XML-injection by a malformed property value. If a property
value is controlled by a less privileged entity (like Management VM), it
could lead to a privilege escalation.

Reported by @DemiMarie
---
 qubes/app.py                 | 3 ++-
 qubes/tests/devices_block.py | 3 ++-
 qubes/tests/vm/__init__.py   | 3 ++-
 qubes/tests/vm/qubesvm.py    | 4 ++--
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/qubes/app.py b/qubes/app.py
index b64a197a..bebc0196 100644
--- a/qubes/app.py
+++ b/qubes/app.py
@@ -924,7 +924,8 @@ class Qubes(qubes.PropertyHolder):
                 '/etc/qubes/templates',
                 '/usr/share/qubes/templates',
             ]),
-            undefined=jinja2.StrictUndefined)
+            undefined=jinja2.StrictUndefined,
+            autoescape=True)
 
         if load:
             self.load(lock=lock)
diff --git a/qubes/tests/devices_block.py b/qubes/tests/devices_block.py
index 959ec31c..e3c4e59d 100644
--- a/qubes/tests/devices_block.py
+++ b/qubes/tests/devices_block.py
@@ -111,7 +111,8 @@ class TestApp(object):
                 '/etc/qubes/templates',
                 '/usr/share/qubes/templates',
             ]),
-            undefined=jinja2.StrictUndefined)
+            undefined=jinja2.StrictUndefined,
+            autoescape=True)
         self.domains = {}
 
 
diff --git a/qubes/tests/vm/__init__.py b/qubes/tests/vm/__init__.py
index 51e20ce7..9dd9c030 100644
--- a/qubes/tests/vm/__init__.py
+++ b/qubes/tests/vm/__init__.py
@@ -112,4 +112,5 @@ class TestApp(qubes.tests.TestEmitter):
                 '/etc/qubes/templates',
                 '/usr/share/qubes/templates',
             ]),
-            undefined=jinja2.StrictUndefined)
+            undefined=jinja2.StrictUndefined,
+            autoescape=True)
diff --git a/qubes/tests/vm/qubesvm.py b/qubes/tests/vm/qubesvm.py
index e0d2475b..32347d84 100644
--- a/qubes/tests/vm/qubesvm.py
+++ b/qubes/tests/vm/qubesvm.py
@@ -963,7 +963,7 @@ class TC_90_QubesVM(QubesVMTestsMixin, qubes.tests.QubesTestCase):
             <loader type="rom">hvmloader</loader>
             <boot dev="cdrom" />
             <boot dev="hd" />
-            <cmdline>kernel specific options</cmdline>
+            <cmdline>kernel &lt;text&gt; specific options</cmdline>
         </os>
         <features>
             <pae/>
@@ -1002,7 +1002,7 @@ class TC_90_QubesVM(QubesVMTestsMixin, qubes.tests.QubesTestCase):
             open(os.path.join(kernel_dir, 'initramfs'), 'w').close()
             with open(os.path.join(kernel_dir,
                     'default-kernelopts-common.txt'), 'w') as f:
-                f.write('kernel specific options \n')
+                f.write('kernel <text> specific options \n')
             self.addCleanup(shutil.rmtree, '/tmp/qubes-test')
             vm.kernel = 'dummy'
             libvirt_xml = vm.create_config_file()