Summary: | emerge --info should filter out GENTOO_MIRRORS and PORTAGE_BINHOST | ||
---|---|---|---|
Product: | Portage Development | Reporter: | Jan Psota <jasiupsota> |
Component: | Core - Interface (emerge) | Assignee: | Portage team <dev-portage> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | alexander, fturco, jstein, sam, security |
Priority: | Normal | Keywords: | InVCS |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/gentoo/portage/pull/536 https://bugs.gentoo.org/show_bug.cgi?id=280478 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 711148 |
Description
Jan Psota
2020-03-21 01:46:22 UTC
In addition to the emerge --info patch, we'll need another patch to fix the _hide_url_passwd function to replace all occurrences, since GENTOO_MIRRORS and PORTAGE_BINHOST may contain multiple values: https://archives.gentoo.org/gentoo-portage-dev/message/1f6cbccba2bc58f2feef1646c1809370 https://github.com/gentoo/portage/pull/537 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=90b7d3b00d5a5eb9b732fb8b5bf0870eb89ab422 commit 90b7d3b00d5a5eb9b732fb8b5bf0870eb89ab422 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2020-03-22 21:42:42 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-03-23 01:16:09 +0000 _hide_url_passwd: replace all occurrences (bug 713726) Adjust the regular expression to avoid overly-greedy .+ groups, so that is will properly replace all occurrences, as necessary for the purposes of bug 713726 since PORTAGE_BINHOST may contain multiple values. Bug: https://bugs.gentoo.org/713726 Signed-off-by: Zac Medico <zmedico@gentoo.org> lib/portage/package/ebuild/fetch.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=ce66387db2ecad4c9b11b94a5aac6cf0181902c0 commit ce66387db2ecad4c9b11b94a5aac6cf0181902c0 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-22 02:23:54 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-03-23 01:17:46 +0000 emerge --info: Filter variables for credentials Bug: https://bugs.gentoo.org/713726 Closes: https://github.com/gentoo/portage/pull/536 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Zac Medico <zmedico@gentoo.org> lib/_emerge/actions.py | 4 ++++ 1 file changed, 4 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a0c4eab7417a7823cabe54ace677377114b18dd commit 6a0c4eab7417a7823cabe54ace677377114b18dd Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2020-03-23 03:02:25 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-03-23 03:03:33 +0000 sys-apps/portage: Bump to version 2.3.95 #713100 fix FEATURES=userpriv $HOME permissions #713726 emerge --info: Filter variables for credentials #713818 eqawarn: output to build log regardless of --quiet Bug: https://bugs.gentoo.org/711148 Bug: https://bugs.gentoo.org/713100 Bug: https://bugs.gentoo.org/713726 Bug: https://bugs.gentoo.org/713818 Package-Manager: Portage-2.3.95, Repoman-2.3.21 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/portage/Manifest | 1 + sys-apps/portage/portage-2.3.95.ebuild | 268 +++++++++++++++++++++++++++++++++ 2 files changed, 269 insertions(+) I see "*password*" now :-) ...but are you sure, that it is a better way than completely filtering out variables that may contain authorisation info? (In reply to Jan Psota from comment #6) > I see "*password*" now :-) > ...but are you sure, that it is a better way than completely > filtering out variables that may contain authorisation info? Woo! This is the same solution used for ensuring logs are sanitised. I went for your approach at first but it's possible that these variables could be useful for debugging. If you know you're using credentials in make.conf, it's worth checking it over before you share it. I mean, some warning on --info could be considered, but IMO this would just be noise given this is quite a rare situation. It filters out anything which the standard URI format for password, so we should be good... what's concerning you? > It filters out anything which the standard URI format for password, so we
> should be good... what's concerning you?
Let it be :-)
"I'm paranoid but is it enough?"
|