Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 713726

Summary: emerge --info should filter out GENTOO_MIRRORS and PORTAGE_BINHOST
Product: Portage Development Reporter: Jan Psota <jasiupsota>
Component: Core - Interface (emerge)Assignee: Portage team <dev-portage>
Status: RESOLVED FIXED    
Severity: major CC: alexander, fturco, jstein, sam, security
Priority: Normal Keywords: InVCS
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/portage/pull/536
https://bugs.gentoo.org/show_bug.cgi?id=280478
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 711148    

Description Jan Psota 2020-03-21 01:46:22 UTC
...because they can include passwords.

I use PORTAGE_BINHOST=ftp://getbin:password@host
and something similar for GENTOO_MIRRORS.
Comment 1 Zac Medico gentoo-dev 2020-03-22 04:28:34 UTC
Patch: https://github.com/gentoo/portage/pull/536
Comment 2 Zac Medico gentoo-dev 2020-03-22 21:59:08 UTC
In addition to the emerge --info patch, we'll need another patch to fix the _hide_url_passwd function to replace all occurrences, since GENTOO_MIRRORS and PORTAGE_BINHOST may contain multiple values:

https://archives.gentoo.org/gentoo-portage-dev/message/1f6cbccba2bc58f2feef1646c1809370
https://github.com/gentoo/portage/pull/537
Comment 3 Larry the Git Cow gentoo-dev 2020-03-23 01:49:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/portage.git/commit/?id=90b7d3b00d5a5eb9b732fb8b5bf0870eb89ab422

commit 90b7d3b00d5a5eb9b732fb8b5bf0870eb89ab422
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-03-22 21:42:42 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-03-23 01:16:09 +0000

    _hide_url_passwd: replace all occurrences (bug 713726)
    
    Adjust the regular expression to avoid overly-greedy .+ groups,
    so that is will properly replace all occurrences, as necessary
    for the purposes of bug 713726 since PORTAGE_BINHOST may contain
    multiple values.
    
    Bug: https://bugs.gentoo.org/713726
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 lib/portage/package/ebuild/fetch.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 Larry the Git Cow gentoo-dev 2020-03-23 01:51:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/portage.git/commit/?id=ce66387db2ecad4c9b11b94a5aac6cf0181902c0

commit ce66387db2ecad4c9b11b94a5aac6cf0181902c0
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-03-22 02:23:54 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-03-23 01:17:46 +0000

    emerge --info: Filter variables for credentials
    
    Bug: https://bugs.gentoo.org/713726
    Closes: https://github.com/gentoo/portage/pull/536
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 lib/_emerge/actions.py | 4 ++++
 1 file changed, 4 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2020-03-23 03:13:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a0c4eab7417a7823cabe54ace677377114b18dd

commit 6a0c4eab7417a7823cabe54ace677377114b18dd
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-03-23 03:02:25 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-03-23 03:03:33 +0000

    sys-apps/portage: Bump to version 2.3.95
    
     #713100 fix FEATURES=userpriv $HOME permissions
     #713726 emerge --info: Filter variables for credentials
     #713818 eqawarn: output to build log regardless of --quiet
    
    Bug: https://bugs.gentoo.org/711148
    Bug: https://bugs.gentoo.org/713100
    Bug: https://bugs.gentoo.org/713726
    Bug: https://bugs.gentoo.org/713818
    Package-Manager: Portage-2.3.95, Repoman-2.3.21
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 sys-apps/portage/Manifest              |   1 +
 sys-apps/portage/portage-2.3.95.ebuild | 268 +++++++++++++++++++++++++++++++++
 2 files changed, 269 insertions(+)
Comment 6 Jan Psota 2020-03-25 23:14:46 UTC
I see "*password*" now :-)
...but are you sure, that it is a better way than completely
filtering out variables that may contain authorisation info?
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-25 23:24:33 UTC
(In reply to Jan Psota from comment #6)
> I see "*password*" now :-)
> ...but are you sure, that it is a better way than completely
> filtering out variables that may contain authorisation info?

Woo!

This is the same solution used for ensuring logs are sanitised.

I went for your approach at first but it's possible that these variables could be useful for debugging. If you know you're using credentials in make.conf, it's worth checking it over before you share it.

I mean, some warning on --info could be considered, but IMO this would just be noise given this is quite a rare situation.

It filters out anything which the standard URI format for password, so we should be good... what's concerning you?
Comment 8 Jan Psota 2020-03-26 00:20:30 UTC
> It filters out anything which the standard URI format for password, so we
> should be good... what's concerning you?

Let it be :-)
"I'm paranoid but is it enough?"