From 5a30c52fd5f03e11a1e7a998731c59a31477eba9 Mon Sep 17 00:00:00 2001 From: CoprDistGit Date: Mon, 16 Oct 2023 08:21:17 +0000 Subject: automatic import of iSulad --- ...word-in-url-module-and-clean-sensitive-in.patch | 332 +++++++++++++++++++++ 1 file changed, 332 insertions(+) create mode 100644 0019-remove-password-in-url-module-and-clean-sensitive-in.patch (limited to '0019-remove-password-in-url-module-and-clean-sensitive-in.patch') diff --git a/0019-remove-password-in-url-module-and-clean-sensitive-in.patch b/0019-remove-password-in-url-module-and-clean-sensitive-in.patch new file mode 100644 index 0000000..255cf28 --- /dev/null +++ b/0019-remove-password-in-url-module-and-clean-sensitive-in.patch @@ -0,0 +1,332 @@ +From 4adc923cfaf25142aa4cbb909d65c0f3a999cc02 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Tue, 29 Aug 2023 11:41:26 +0800 +Subject: [PATCH 19/33] remove password in url module and clean sensitive info + in struct passwd + +Signed-off-by: zhongtao +--- + .../modules/image/image_rootfs_handler.c | 13 +- + src/utils/cpputils/url.cc | 144 +----------------- + src/utils/cpputils/url.h | 19 +-- + 3 files changed, 15 insertions(+), 161 deletions(-) + +diff --git a/src/daemon/modules/image/image_rootfs_handler.c b/src/daemon/modules/image/image_rootfs_handler.c +index 1a3f4307..a8036ab9 100644 +--- a/src/daemon/modules/image/image_rootfs_handler.c ++++ b/src/daemon/modules/image/image_rootfs_handler.c +@@ -85,6 +85,7 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user * + char buf[BUFSIZ] = { 0 }; + struct passwd pw; + struct passwd *pwbufp = NULL; ++ int ret = -1; + + if (f_passwd != NULL) { + #if defined (__ANDROID__) || defined(__MUSL__) +@@ -116,7 +117,7 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user * + if (errval != 0 && errval != ENOENT) { + ERROR("Failed to parse passwd file: Insufficient buffer space supplied"); + isulad_set_error_message("Failed to parse passwd file: Insufficient buffer space supplied"); +- return -1; ++ goto out; + } + if (!userfound && user != NULL) { + int uret = util_safe_llong(user, &n_user); +@@ -124,16 +125,20 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user * + if (uret != 0) { + ERROR("Unable to find user '%s'", user); + isulad_set_error_message("Unable to find user '%s': no matching entries in passwd file", user); +- return -1; ++ goto out; + } + if (n_user < MINUID || n_user > MAXUID) { + uids_gids_range_err_log(); +- return -1; ++ goto out; + } + puser->uid = (uid_t)n_user; + } ++ ret = 0; + +- return 0; ++out: ++ memset(buf, 0, sizeof(buf)); ++ memset(pwbufp, 0, sizeof(struct passwd)); ++ return ret; + } + + static int append_additional_gids(gid_t gid, gid_t **additional_gids, size_t *len) +diff --git a/src/utils/cpputils/url.cc b/src/utils/cpputils/url.cc +index 117eba7e..baaded07 100644 +--- a/src/utils/cpputils/url.cc ++++ b/src/utils/cpputils/url.cc +@@ -266,12 +266,7 @@ std::string Escape(const std::string &s, const EncodeMode &mode) + + UserInfo *User(const std::string &username) noexcept + { +- return new UserInfo { username, "", false }; +-} +- +-UserInfo *UserPassword(const std::string &username, const std::string &password) noexcept +-{ +- return new UserInfo { username, password, true }; ++ return new UserInfo { username }; + } + + int Getscheme(const std::string &rawurl, std::string &scheme, std::string &path) +@@ -324,24 +319,6 @@ void Split(const std::string &s, const std::string &c, bool cutc, std::string &t + u = s.substr(i, s.size()); + } + +-URLDatum *Parse(const std::string &rawurl) +-{ +- std::string u, frag; +- Split(rawurl, "#", true, u, frag); +- auto *url = Parse(u, false); +- if (url == nullptr) { +- return nullptr; +- } +- if (frag.empty()) { +- return url; +- } +- url->SetFragment(Unescape(frag, EncodeMode::ENCODE_FRAGMENT)); +- if (url->GetFragment().empty()) { +- return nullptr; +- } +- return url; +-} +- + int SplitOffPossibleLeading(std::string &scheme, const std::string &rawurl, URLDatum *url, std::string &rest) + { + if (Getscheme(rawurl, scheme, rest) != 0) { +@@ -385,108 +362,6 @@ URLDatum *HandleNonBackslashPrefix(URLDatum *url, const std::string &scheme, con + return nullptr; + } + +-int SetURLDatumInfo(URLDatum *url, const std::string &scheme, bool viaRequest, std::string &rest) +-{ +- if ((!scheme.empty() || (!viaRequest && rest.substr(0, 3) == "///")) && rest.substr(0, 2) == "//") { +- std::string authority; +- Split(rest.substr(2, rest.size()), "/", false, authority, rest); +- std::string host = url->GetHost(); +- UserInfo *user = url->GetUser(); +- if (ParseAuthority(authority, &user, host)) { +- return -1; +- } +- url->SetHost(host); +- url->SetUser(user); +- } +- if (url->SetPath(rest)) { +- return -1; +- } +- url->SetScheme(scheme); +- return 0; +-} +- +-URLDatum *Parse(const std::string &rawurl, bool viaRequest) +-{ +- if (rawurl.empty() && viaRequest) { +- ERROR("empty url!"); +- return nullptr; +- } +- auto *url = new (std::nothrow) URLDatum; +- if (url == nullptr) { +- ERROR("Out of memory"); +- return nullptr; +- } +- if (rawurl == "*") { +- url->SetPathWithoutEscape("*"); +- return url; +- } +- std::string scheme = url->GetScheme(); +- std::string rest; +- if (SplitOffPossibleLeading(scheme, rawurl, url, rest) != 0) { +- return nullptr; +- } +- bool shouldRet = false; +- auto *tmpret = HandleNonBackslashPrefix(url, scheme, rest, viaRequest, shouldRet); +- if (shouldRet) { +- return tmpret; +- } +- if (SetURLDatumInfo(url, scheme, viaRequest, rest) != 0) { +- return nullptr; +- } +- return url; +-} +- +-int ParseAuthority(const std::string &authority, UserInfo **user, std::string &host) +-{ +- size_t i = authority.find("@"); +- if (i == std::string::npos) { +- if (ParseHost(authority, host) != 0) { +- *user = nullptr; +- host = ""; +- return -1; +- } +- } else { +- if (ParseHost(authority.substr(i + 1, authority.size()), host) != 0) { +- *user = nullptr; +- host = ""; +- return -1; +- } +- } +- if (i == std::string::npos) { +- *user = nullptr; +- return 0; +- } +- +- std::string userinfo = authority.substr(0, i); +- if (!ValidUserinfo(userinfo)) { +- *user = nullptr; +- host = ""; +- ERROR("net/url: invalid userinfo"); +- return -1; +- } +- if (userinfo.find(":") == std::string::npos) { +- userinfo = Unescape(userinfo, EncodeMode::ENCODE_USER_PASSWORD); +- if (userinfo.empty()) { +- *user = nullptr; +- host = ""; +- return -1; +- } +- *user = User(userinfo); +- } else { +- std::string servername, serverword; +- Split(userinfo, ":", true, servername, serverword); +- servername = Unescape(servername, EncodeMode::ENCODE_USER_PASSWORD); +- serverword = Unescape(serverword, EncodeMode::ENCODE_USER_PASSWORD); +- if (servername.empty() || serverword.empty()) { +- *user = nullptr; +- host = ""; +- return -1; +- } +- *user = UserPassword(servername, serverword); +- } +- return 0; +-} +- + int ParseHost(std::string host, std::string &out) + { + if (host.at(0) == '[') { +@@ -756,9 +631,6 @@ std::string UserInfo::String() const + std::string s; + if (!m_username.empty()) { + s = Escape(m_username, EncodeMode::ENCODE_USER_PASSWORD); +- if (m_passwordSet) { +- s += ":" + Escape(m_password, EncodeMode::ENCODE_USER_PASSWORD); +- } + } + return s; + } +@@ -766,11 +638,6 @@ std::string UserInfo::Username() const + { + return m_username; + } +-std::string UserInfo::Password(bool &set) const +-{ +- set = m_passwordSet; +- return m_password; +-} + + URLDatum::~URLDatum() + { +@@ -860,15 +727,6 @@ bool URLDatum::IsAbs() const + return (m_scheme != ""); + } + +-std::unique_ptr URLDatum::UrlParse(const std::string &ref) +-{ +- auto *refurl = Parse(ref); +- if (refurl == nullptr) { +- return nullptr; +- } +- return ResolveReference(refurl); +-} +- + std::unique_ptr URLDatum::ResolveReference(URLDatum *ref) + { + std::unique_ptr url(new (std::nothrow) URLDatum(*ref)); +diff --git a/src/utils/cpputils/url.h b/src/utils/cpputils/url.h +index abbf20f4..3dd40079 100644 +--- a/src/utils/cpputils/url.h ++++ b/src/utils/cpputils/url.h +@@ -49,17 +49,13 @@ private: + + class UserInfo { + public: +- UserInfo(const std::string &u, const std::string &p, bool b) : m_username(u), m_password(p), +- m_passwordSet(b) {} ++ UserInfo(const std::string &u) : m_username(u) {} + ~UserInfo() = default; + std::string String() const; + std::string Username() const; +- std::string Password(bool &set) const; + + private: + std::string m_username; +- std::string m_password; +- bool m_passwordSet; + }; + + class URLDatum { +@@ -69,7 +65,6 @@ public: + std::string EscapedPath(); + std::string String(); + bool IsAbs() const; +- std::unique_ptr UrlParse(const std::string &ref); + std::unique_ptr ResolveReference(URLDatum *ref); + auto Query()->std::map>; + std::string RequestURI(); +@@ -88,7 +83,7 @@ public: + { + m_opaque = value; + } +- std::string GetOpaque() const ++ std::string GetOpaque() const + { + return m_opaque; + } +@@ -96,7 +91,7 @@ public: + { + m_user = value; + } +- UserInfo *GetUser() const ++ UserInfo *GetUser() const + { + return m_user; + } +@@ -128,7 +123,7 @@ public: + { + m_rawQuery = value; + } +- std::string GetRawQuery() const ++ std::string GetRawQuery() const + { + return m_rawQuery; + } +@@ -136,7 +131,7 @@ public: + { + m_fragment = value; + } +- std::string GetFragment() const ++ std::string GetFragment() const + { + return m_fragment; + } +@@ -163,13 +158,9 @@ std::string QueryUnescape(const std::string &s); + std::string Unescape(std::string s, const EncodeMode &mode); + std::string QueryEscape(const std::string &s); + std::string Escape(const std::string &s, const EncodeMode &mode); +-UserInfo *UserPassword(const std::string &username, const std::string &password) noexcept; + UserInfo *User(const std::string &username) noexcept; + int Getscheme(const std::string &rawurl, std::string &scheme, std::string &path); + void Split(const std::string &s, const std::string &c, bool cutc, std::string &t, std::string &u); +-URLDatum *Parse(const std::string &rawurl); +-URLDatum *Parse(const std::string &rawurl, bool viaRequest); +-int ParseAuthority(const std::string &authority, UserInfo **user, std::string &host); + int ParseHost(std::string host, std::string &out); + bool ValidEncodedPath(const std::string &s); + bool ValidOptionalPort(const std::string &port); +-- +2.40.1 + -- cgit v1.2.3