remove eval for security concerns

2024-11-01 03:54:15 +00:00 · 2021-12-06 09:22:02 +03:00 · 2021-12-06 09:22:02 +03:00 · 5c9a5daedc
commit 5c9a5daedc
parent f690d1fa60
2 changed files with 9 additions and 9 deletions
--- a/instances/templates/instances/settings_tab.html
+++ b/instances/templates/instances/settings_tab.html
@ -886,15 +886,15 @@
                    <label for="vcpu_hotplug" class="col-sm-3 col-form-label">{% trans "vCPU Hot Plug" %}</label>
                    <div class="col-sm-6">
                        <div class="input-group">
-                        <select id="vcpu_hotplug" class="form-control" name="vcpu_hotplug">
-                            <option value="True" {% if instance.vcpus %} selected {% endif %}>{% trans 'Enabled' %}</option>
-                            <option value="False" {% if not instance.vcpus %} selected {% endif %}>{% trans 'Disabled' %}</option>
-                        </select>
-                        {% if instance.status == 5 %}
+                            <select id="vcpu_hotplug" class="form-control" name="vcpu_hotplug">
+                                <option value="True" {% if instance.vcpus %} selected {% endif %}>{% trans 'Enabled' %}</option>
+                                <option value="False" {% if not instance.vcpus %} selected {% endif %}>{% trans 'Disabled' %}</option>
+                            </select>
+                            {% if instance.status == 5 %}
                            <button type="submit" class="btn btn-success" name="set_vcpu_hotplug">{% trans "Set" %}</button>
-                        {% else %}
+                            {% else %}
                            <button class="btn btn-success" name="set_vcpu_hotplug" disabled>{% trans "Set" %}</button>
-                        {% endif %}
+                            {% endif %}
                        </div>
                    </div>
                </div>
--- a/instances/views.py
+++ b/instances/views.py
@ -793,9 +793,9 @@ def set_vcpu(request, pk):
@superuser_only
 def set_vcpu_hotplug(request, pk):
    instance = get_instance(request.user, pk)
-    status = request.POST.get("vcpu_hotplug", "")
+    status = True if request.POST.get("vcpu_hotplug", "False") == 'True' else False
    msg = _("VCPU Hot-plug is enabled=%(status)s") % {"status": status}
-    instance.proxy.set_vcpu_hotplug(eval(status))
+    instance.proxy.set_vcpu_hotplug(status)
    addlogmsg(request.user.username, instance.compute.name, instance.name, msg)
    return redirect(request.META.get("HTTP_REFERER") + "#resize")