Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 205966

Summary: patch to prevent the binhost password from being printed to stdout
Product: Portage Development Reporter: Mike "Fuzzy" Partin <fuzzyoni>
Component: Core - Interface (emerge)Assignee: Portage team <dev-portage>
Status: RESOLVED FIXED    
Severity: normal Keywords: InVCS
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 200044    
Attachments: simple interface enhancement

Description Mike "Fuzzy" Partin 2008-01-15 15:01:13 UTC 
The -g option causes portage to spit out a useful message detailing which binhost emerge is connecting to, however the password is also displayed, which has some obvious security concerns. Granted make.conf is readable, but there is the possibility that people who could not gain access to my system and it's make.conf could gain visual access over my shoulder.

Reproducible: Always

Steps to Reproduce:
1. run emerge with the -g flag and a PORTAGE_BINHOST value set in /etc/make.conf
2.
3.

Actual Results:  
Calculating dependencies -
Fetching bininfo from ftp://username:password@binhost.example.com/All/

Expected Results:  
Calculating dependencies -
Fetching bininfo from ftp://username:password@binhost.example.com/All/

with my patch the following is output:
Calculating dependencies -
Fetching bininfo from ftp://username:*******@binhost.example.com/All/

My patch is as follows, and could likely be cleaned up a bit:
--- ./pym/portage.py    2008-01-15 10:25:37.000000000 -0600
+++ ../portage-2.1.3.16.fuzz/pym/portage.py     2008-01-15 10:25:21.000000000 -0600
@@ -7788,7 +7788,12 @@
                                chunk_size = 3000

                        writemsg_stdout("\n")
-                       writemsg_stdout(green("Fetching bininfo from ")+base_url+"\n")
+                       mp_proto = base_url.split(':')[0]
+                       mp_usern = base_url.split(':')[1].split('//')[1]
+                       mp_paswd = base_url.split(':')[2].split('@')[0]
+                       mp_url = base_url.split(':')[2].split('@')[1]
+                       output_url = mp_proto+'://'+mp_usern+':'+('*'*len(mp_paswd))+'@'+mp_url
+                       writemsg_stdout(green("Fetching bininfo from ")+output_url+"\n")
                        self.remotepkgs = getbinpkg.dir_get_metadata(
                                self.settings["PORTAGE_BINHOST"], chunk_size=chunk_size)
                        #writemsg_stdout(green("  -- DONE!\n\n"))
Comment 1 Mike "Fuzzy" Partin 2008-01-15 15:02:11 UTC 
Created attachment 140983 [details, diff]
simple interface enhancement
Comment 2 Zac Medico gentoo-dev 2008-02-01 05:36:15 UTC 
Thanks, this has been released in 2.1.4.1.