You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@subversion.apache.org by st...@apache.org on 2011/07/25 16:33:33 UTC

svn commit: r1150723 - /subversion/branches/gpg-agent-password-store/subversion/libsvn_auth_gpg_agent/gpg_agent.c

Author: stsp
Date: Mon Jul 25 14:33:32 2011
New Revision: 1150723

URL: http://svn.apache.org/viewvc?rev=1150723&view=rev
Log:
On the gpg-agent-password-store branch, send the values of the LC_CTYPE
and DISPLAY variables to gpg-agent. These might be useful for the pinentry
program.

* subversion/libsvn_auth_gpg_agent/gpg_agent.c
  (password_get_gpg_agent): If LC_CTYPE and/or DISPLAY environment variables
   are set, use their values as arguments for the --lc-ctype and --display
   options of gpg-agent.

Modified:
    subversion/branches/gpg-agent-password-store/subversion/libsvn_auth_gpg_agent/gpg_agent.c

Modified: subversion/branches/gpg-agent-password-store/subversion/libsvn_auth_gpg_agent/gpg_agent.c
URL: http://svn.apache.org/viewvc/subversion/branches/gpg-agent-password-store/subversion/libsvn_auth_gpg_agent/gpg_agent.c?rev=1150723&r1=1150722&r2=1150723&view=diff
==============================================================================
--- subversion/branches/gpg-agent-password-store/subversion/libsvn_auth_gpg_agent/gpg_agent.c (original)
+++ subversion/branches/gpg-agent-password-store/subversion/libsvn_auth_gpg_agent/gpg_agent.c Mon Jul 25 14:33:32 2011
@@ -101,6 +101,8 @@ password_get_gpg_agent(const char **pass
   struct sockaddr_un addr;
   const char *tty_name;
   const char *tty_type;
+  const char *lc_ctype;
+  const char *display;
   const char *socket_name = NULL;
   svn_checksum_t *digest = NULL;
 
@@ -195,6 +197,46 @@ password_get_gpg_agent(const char **pass
       return FALSE;
     }
 
+  /* Send LC_CTYPE to the gpg-agent daemon. */
+  lc_ctype = getenv("LC_CTYPE");
+  if (lc_ctype == NULL)
+    lc_ctype = getenv("LC_ALL");
+  if (lc_ctype == NULL)
+    lc_ctype = getenv("LANG");
+  if (lc_ctype != NULL)
+    {
+      request = apr_psprintf(pool, "OPTION lc-ctype=%s\n", lc_ctype);
+      send(sd, request, strlen(request), 0);
+      if (!receive_from_gpg_agent(sd, buffer, BUFFER_SIZE - 1))
+        {
+          close(sd);
+          return FALSE;
+        }
+      if (strncmp(buffer, "OK", 2) != 0)
+        {
+          close(sd);
+          return FALSE;
+        }
+    }
+
+  /* Send DISPLAY to the gpg-agent daemon. */
+  display = getenv("DISPLAY");
+  if (display != NULL)
+    {
+      request = apr_psprintf(pool, "OPTION display=%s\n", display);
+      send(sd, request, strlen(request), 0);
+      if (!receive_from_gpg_agent(sd, buffer, BUFFER_SIZE - 1))
+        {
+          close(sd);
+          return FALSE;
+        }
+      if (strncmp(buffer, "OK", 2) != 0)
+        {
+          close(sd);
+          return FALSE;
+        }
+    }
+
   /* Create the CACHE_ID which will be generated based on REALMSTRING similar
      to other password caching mechanisms. */
   digest = svn_checksum_create(svn_checksum_md5, pool);

Re: svn commit: r1150723 - /subversion/branches/gpg-agent-password-store/subversion/libsvn_auth_gpg_agent/gpg_agent.c

Posted by Daniel Shahaf <da...@elego.de>.

Stefan Sperling wrote on Mon, Jul 25, 2011 at 20:55:56 +0200:
> On Mon, Jul 25, 2011 at 09:44:17PM +0300, Daniel Shahaf wrote:
> > stsp@apache.org wrote on Mon, Jul 25, 2011 at 14:33:33 -0000:
> > > +  /* Send LC_CTYPE to the gpg-agent daemon. */
> > > +  lc_ctype = getenv("LC_CTYPE");
> > > +  if (lc_ctype == NULL)
> > > +    lc_ctype = getenv("LC_ALL");
> > > +  if (lc_ctype == NULL)
> > > +    lc_ctype = getenv("LANG");
> > > +  if (lc_ctype != NULL)
> > > +    {
> > > +      request = apr_psprintf(pool, "OPTION lc-ctype=%s\n", lc_ctype);
> > 
> > You're passing an environment variable to gpg-agent unescaped.  Suppose
> > I could control the value of that variable in your environment.  (Yes,
> > this is a contrived situation.)  What could I do then?
> 
> Issue arbitrary commands to the agent. But the response will be read
> back by svn.
> I am not sure what kind of commands there are (or will be added in
> future) that would be useful to you in that situation.
> 

On IRC you linked to
<http://www.gnupg.org/documentation/manuals/gnupg/Agent-Protocol.html>.

I'm also thinking on how this can affect third-party applications that
also use the same gpg-agent instance.

I'll look into that at some point.

> If you can already control a user's env vars you can likely
> go a simpler route: Just talk to the agent and get the password
> from it. All you need to know is the MD5 hash of the auth realm.
> Try all of the ones in ~/.subversion/auth/svn.simple and you'll
> likely get a password.
> 
> As I sad on IRC, I don't think running a gpg-agent with the password
> cached is any safer than putting the password in a plain-text file
> with restricted access permissions. The only difference is that the
> cached password doesn't survive a reboot and times out after a while.

Re: svn commit: r1150723 - /subversion/branches/gpg-agent-password-store/subversion/libsvn_auth_gpg_agent/gpg_agent.c

Posted by Stefan Sperling <st...@elego.de>.

On Mon, Jul 25, 2011 at 09:44:17PM +0300, Daniel Shahaf wrote:
> stsp@apache.org wrote on Mon, Jul 25, 2011 at 14:33:33 -0000:
> > +  /* Send LC_CTYPE to the gpg-agent daemon. */
> > +  lc_ctype = getenv("LC_CTYPE");
> > +  if (lc_ctype == NULL)
> > +    lc_ctype = getenv("LC_ALL");
> > +  if (lc_ctype == NULL)
> > +    lc_ctype = getenv("LANG");
> > +  if (lc_ctype != NULL)
> > +    {
> > +      request = apr_psprintf(pool, "OPTION lc-ctype=%s\n", lc_ctype);
> 
> You're passing an environment variable to gpg-agent unescaped.  Suppose
> I could control the value of that variable in your environment.  (Yes,
> this is a contrived situation.)  What could I do then?

Issue arbitrary commands to the agent. But the response will be read
back by svn.
I am not sure what kind of commands there are (or will be added in
future) that would be useful to you in that situation.

If you can already control a user's env vars you can likely
go a simpler route: Just talk to the agent and get the password
from it. All you need to know is the MD5 hash of the auth realm.
Try all of the ones in ~/.subversion/auth/svn.simple and you'll
likely get a password.

As I sad on IRC, I don't think running a gpg-agent with the password
cached is any safer than putting the password in a plain-text file
with restricted access permissions. The only difference is that the
cached password doesn't survive a reboot and times out after a while.

Re: svn commit: r1150723 - /subversion/branches/gpg-agent-password-store/subversion/libsvn_auth_gpg_agent/gpg_agent.c

Posted by Daniel Shahaf <d....@daniel.shahaf.name>.

stsp@apache.org wrote on Mon, Jul 25, 2011 at 14:33:33 -0000:
> Author: stsp
> Date: Mon Jul 25 14:33:32 2011
> New Revision: 1150723
> 
> URL: http://svn.apache.org/viewvc?rev=1150723&view=rev
> Log:
> On the gpg-agent-password-store branch, send the values of the LC_CTYPE
> and DISPLAY variables to gpg-agent. These might be useful for the pinentry
> program.
> 
> * subversion/libsvn_auth_gpg_agent/gpg_agent.c
>   (password_get_gpg_agent): If LC_CTYPE and/or DISPLAY environment variables
>    are set, use their values as arguments for the --lc-ctype and --display
>    options of gpg-agent.
> 
> Modified:
>     subversion/branches/gpg-agent-password-store/subversion/libsvn_auth_gpg_agent/gpg_agent.c
> 
> Modified: subversion/branches/gpg-agent-password-store/subversion/libsvn_auth_gpg_agent/gpg_agent.c
> URL: http://svn.apache.org/viewvc/subversion/branches/gpg-agent-password-store/subversion/libsvn_auth_gpg_agent/gpg_agent.c?rev=1150723&r1=1150722&r2=1150723&view=diff
> ==============================================================================
> --- subversion/branches/gpg-agent-password-store/subversion/libsvn_auth_gpg_agent/gpg_agent.c (original)
> +++ subversion/branches/gpg-agent-password-store/subversion/libsvn_auth_gpg_agent/gpg_agent.c Mon Jul 25 14:33:32 2011
> @@ -101,6 +101,8 @@ password_get_gpg_agent(const char **pass
>    struct sockaddr_un addr;
>    const char *tty_name;
>    const char *tty_type;
> +  const char *lc_ctype;
> +  const char *display;
>    const char *socket_name = NULL;
>    svn_checksum_t *digest = NULL;
>  
> @@ -195,6 +197,46 @@ password_get_gpg_agent(const char **pass
>        return FALSE;
>      }
>  
> +  /* Send LC_CTYPE to the gpg-agent daemon. */
> +  lc_ctype = getenv("LC_CTYPE");
> +  if (lc_ctype == NULL)
> +    lc_ctype = getenv("LC_ALL");
> +  if (lc_ctype == NULL)
> +    lc_ctype = getenv("LANG");
> +  if (lc_ctype != NULL)
> +    {
> +      request = apr_psprintf(pool, "OPTION lc-ctype=%s\n", lc_ctype);

You're passing an environment variable to gpg-agent unescaped.  Suppose
I could control the value of that variable in your environment.  (Yes,
this is a contrived situation.)  What could I do then?