render / rpms / libvirt

Forked from rpms/libvirt 10 months ago
Clone
43fe83
From a8692d25ea7457443ad49dc9187ca54d7a8faa55 Mon Sep 17 00:00:00 2001
43fe83
Message-Id: <a8692d25ea7457443ad49dc9187ca54d7a8faa55.1383321465.git.jdenemar@redhat.com>
43fe83
From: "Daniel P. Berrange" <berrange@redhat.com>
43fe83
Date: Wed, 30 Oct 2013 17:01:52 +0000
43fe83
Subject: [PATCH] Block all use of getenv with syntax-check
43fe83
43fe83
For
43fe83
43fe83
  https://bugzilla.redhat.com/show_bug.cgi?id=1015247
43fe83
43fe83
The use of getenv is typically insecure, and we want people
43fe83
to use our wrappers, to force them to think about setuid
43fe83
needs.
43fe83
43fe83
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
43fe83
(cherry picked from commit 71b21f12bece1127b28b404f11f57b4c2d48983a)
43fe83
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
43fe83
---
43fe83
 cfg.mk             | 8 ++++++++
43fe83
 src/util/virutil.c | 4 ++--
43fe83
 2 files changed, 10 insertions(+), 2 deletions(-)
43fe83
43fe83
diff --git a/cfg.mk b/cfg.mk
43fe83
index aa2e1a1..f2cd411 100644
43fe83
--- a/cfg.mk
43fe83
+++ b/cfg.mk
43fe83
@@ -836,6 +836,11 @@ sc_prohibit_unbounded_arrays_in_rpc:
43fe83
 	halt='Arrays in XDR must have a upper limit set for <NNN>'	\
43fe83
 	  $(_sc_search_regexp)
43fe83
 
43fe83
+sc_prohibit_getenv:
43fe83
+	@prohibit='\b(secure_)?getenv *\('				\
43fe83
+	exclude='exempt from syntax-check'				\
43fe83
+	halt='Use virGetEnv{Allow,Block}SUID instead of getenv'		\
43fe83
+	  $(_sc_search_regexp)
43fe83
 
43fe83
 # We don't use this feature of maint.mk.
43fe83
 prev_version_file = /dev/null
43fe83
@@ -1005,3 +1010,6 @@ exclude_file_name_regexp--sc_prohibit_include_public_headers_brackets = \
43fe83
 
43fe83
 exclude_file_name_regexp--sc_prohibit_int_ijk = \
43fe83
   ^(src/remote_protocol-structs|src/remote/remote_protocol.x|cfg.mk|include/)$
43fe83
+
43fe83
+exclude_file_name_regexp--sc_prohibit_getenv = \
43fe83
+  ^tests/.*\.[ch]$$
43fe83
diff --git a/src/util/virutil.c b/src/util/virutil.c
43fe83
index 2b3cbeb..21827f2 100644
43fe83
--- a/src/util/virutil.c
43fe83
+++ b/src/util/virutil.c
43fe83
@@ -2108,7 +2108,7 @@ cleanup:
43fe83
  */
43fe83
 const char *virGetEnvBlockSUID(const char *name)
43fe83
 {
43fe83
-    return secure_getenv(name);
43fe83
+    return secure_getenv(name); /* exempt from syntax-check-rules */
43fe83
 }
43fe83
 
43fe83
 
43fe83
@@ -2122,7 +2122,7 @@ const char *virGetEnvBlockSUID(const char *name)
43fe83
  */
43fe83
 const char *virGetEnvAllowSUID(const char *name)
43fe83
 {
43fe83
-    return getenv(name);
43fe83
+    return getenv(name); /* exempt from syntax-check-rules */
43fe83
 }
43fe83
 
43fe83
 
43fe83
-- 
43fe83
1.8.4.2
43fe83