2 files changed, 29 insertions, 0 deletions

diff --git a/openstack/common/rpc/impl_zmq.py b/openstack/common/rpc/impl_zmq.py
index 7af9cd0..87f8d21 100644
--- a/openstack/common/rpc/impl_zmq.py
+++ b/openstack/common/rpc/impl_zmq.py
@@ -16,6 +16,7 @@
 
 import os
 import pprint
+import re
 import socket
 import sys
 import types
@@ -431,6 +432,8 @@ class ZmqProxy(ZmqBaseReactor):
 
     def __init__(self, conf):
         super(ZmqProxy, self).__init__(conf)
+        pathsep = set((os.path.sep or '', os.path.altsep or '', '/', '\\'))
+        self.badchars = re.compile(r'[%s]' % re.escape(''.join(pathsep)))
 
         self.topic_proxy = {}
 
@@ -456,6 +459,13 @@ class ZmqProxy(ZmqBaseReactor):
                 LOG.info(_("Creating proxy for topic: %s"), topic)
 
                 try:
+                    # The topic is received over the network,
+                    # don't trust this input.
+                    if self.badchars.search(topic) is not None:
+                        emsg = _("Topic contained dangerous characters.")
+                        LOG.warn(emsg)
+                        raise RPCException(emsg)
+
                     out_sock = ZmqSocket("ipc://%s/zmq_topic_%s" %
                                          (ipc_dir, topic),
                                          sock_type, bind=True)
diff --git a/tests/unit/rpc/test_zmq.py b/tests/unit/rpc/test_zmq.py
index c197c35..d42a07d 100644
--- a/tests/unit/rpc/test_zmq.py
+++ b/tests/unit/rpc/test_zmq.py
@@ -21,6 +21,7 @@ Unit Tests for remote procedure calls using zeromq
 import eventlet
 eventlet.monkey_patch()
 
+import itertools
 import logging
 import os
 import socket
@@ -100,6 +101,24 @@ class _RpcZmqBaseTestCase(common.BaseRpcTestCase):
         if self.reactor:
             self.reactor.close()
 
+    def test_cast_pathsep_topic(self):
+        """Ensure topics with a contain a path separator result in error."""
+        tmp_topic = self.topic_nested
+
+        # All OS path separators
+        badchars = itertools.ifilter(None,
+                                     set((os.sep, os.altsep, '/', '\\')))
+        for char in badchars:
+            self.topic_nested = char.join(('hello', 'world'))
+            try:
+                # TODO(ewindisch): Determine which exception is raised.
+                #                  pending bug #1121348
+                self.assertRaises(Exception, self._test_cast,
+                                  common.TestReceiver.echo, 42, {"value": 42},
+                                  fanout=False)
+            finally:
+                self.topic_nested = tmp_topic
+
 
 class RpcZmqBaseTopicTestCase(_RpcZmqBaseTestCase):
     """