When you build QMP input manually like this
cmd = g_strdup_printf("{ 'execute': 'migrate',"
"'arguments': { 'uri': '%s' } }",
uri);
rsp = qmp(cmd);
g_free(cmd);
you're responsible for escaping the interpolated values for JSON. Not
done here, and therefore works only for sufficiently nice @uri. For
instance, if @uri contained a single "'", qobject_from_vjsonf_nofail()
would abort. A sufficiently nasty @uri could even inject unwanted
members into the arguments object.
Leaving interpolation into JSON to qmp() is more robust:
rsp = qmp("{ 'execute': 'migrate', 'arguments': { 'uri': %s } }", uri);
It's also more concise.
Clean up the simple cases where we interpolate exactly a JSON value.
Bonus: gets rid of non-literal format strings. A step towards
compile-time format string checking without triggering
-Wformat-nonliteral.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
---
- cmd = g_strdup_printf("{ 'execute': 'migrate_set_downtime',"
- "'arguments': { 'value': %g } }", value);
- rsp = qtest_qmp(who, cmd);
- g_free(cmd);
+ rsp = qtest_qmp(who,
+ "{ 'execute': 'migrate_set_downtime',"
+ " 'arguments': { 'value': %f } }", value);