Browse Source

bug fixes in block creation and directory security

fixmultiprocessexit release-7.1.0
Kevin Froman 1 month ago
parent
commit
e831a27ae3
7 changed files with 46 additions and 23 deletions
  1. +4
    -0
      CHANGELOG.md
  2. +1
    -1
      git-update.sh
  3. +1
    -1
      src/etc/onionrvalues.py
  4. +5
    -0
      src/onionrexceptions.py
  5. +22
    -20
      src/onionrproofs/subprocesspow.py
  6. +12
    -0
      src/utils/createdirs.py
  7. +1
    -1
      tests/runtime-result.txt

+ 4
- 0
CHANGELOG.md View File

@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [7.1.0] - 2020-11-23
* Check for ownership of existing dirs in createdirs, this prevents the rare edge case where a user might use a home directory in a location an attacker could write (allowing arbitrary code execution via plugins). This was already partially mitigated by the chmod of the home directory in any case, but this further fixes the issue.
## [7.0.0] - 2020-11-22
* Removed communicator timers


+ 1
- 1
git-update.sh View File

@ -5,5 +5,5 @@ echo "Enter to continue, ctrl-c to stop."
read
git pull origin master
pip install -r --require-hashes requirements.txt
pip3 install -r --require-hashes requirements.txt
./onionr.sh reset-plugins

+ 1
- 1
src/etc/onionrvalues.py View File

@ -23,7 +23,7 @@ import filepaths
DENIABLE_PEER_ADDRESS = "OVPCZLOXD6DC5JHX4EQ3PSOGAZ3T24F75HQLIUZSDSMYPEOXCPFA"
PASSWORD_LENGTH = 25
ONIONR_TAGLINE = 'Private P2P Communication - GPLv3 - https://Onionr.net'
ONIONR_VERSION = '7.0.0'
ONIONR_VERSION = '7.1.0'
ONIONR_VERSION_CODENAME = 'Genesis'
ONIONR_VERSION_TUPLE = tuple(ONIONR_VERSION.split('.')) # (MAJOR, MINOR, VERSION)
API_VERSION = '2' # increments of 1; only change when something fundamental about how the API works changes. This way other nodes know how to communicate without learning too much information about you.


+ 5
- 0
src/onionrexceptions.py View File

@ -95,6 +95,11 @@ class Timeout(Exception):
# file exceptions
class InsecureDirectoryUsage(IOError):
"""This occurs when a directory used by the daemon is not owned by the user.
This is important to stop code execution attacks"""
pass
class DiskAllocationReached(Exception):
pass


+ 22
- 20
src/onionrproofs/subprocesspow.py View File

@ -116,24 +116,26 @@ class SubprocessPOW:
metadata['n'] = secrets.randbits(16)
puzzle = self.puzzle
difficulty = self.difficulty
while True:
# Break if shutdown received
try:
if pipe.poll() and pipe.recv() == 'shutdown':
try:
while True:
# Break if shutdown received
try:
if pipe.poll() and pipe.recv() == 'shutdown':
break
except KeyboardInterrupt:
break
except KeyboardInterrupt:
break
# Load nonce into block metadata
metadata['c'] = nonce
# Serialize metadata, combine with block data
payload = json.dumps(metadata).encode() + b'\n' + data
# Check sha3_256 hash of block, compare to puzzle
# Send payload if puzzle finished
token = sha3_hash(payload)
# ensure token is string
token = bytesconverter.bytes_to_str(token)
if puzzle == token[0:difficulty]:
pipe.send(payload)
break
nonce += 1
# Load nonce into block metadata
metadata['c'] = nonce
# Serialize metadata, combine with block data
payload = json.dumps(metadata).encode() + b'\n' + data
# Check sha3_256 hash of block, compare to puzzle
# Send payload if puzzle finished
token = sha3_hash(payload)
# ensure token is string
token = bytesconverter.bytes_to_str(token)
if puzzle == token[0:difficulty]:
pipe.send(payload)
break
nonce += 1
except KeyboardInterrupt:
pass

+ 12
- 0
src/utils/createdirs.py View File

@ -4,9 +4,12 @@ Create required Onionr directories
"""
import os
import stat
from pwd import getpwuid
from getpass import getuser
from . import identifyhome
import filepaths
import onionrexceptions
"""
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -24,6 +27,10 @@ import filepaths
home = identifyhome.identify_home()
def find_owner(filename):
return getpwuid(os.stat(filename).st_uid).pw_name
def create_dirs():
"""Create onionr data-related directories in
order of the hardcoded list below,
@ -33,6 +40,11 @@ def create_dirs():
for path in gen_dirs:
if not os.path.exists(path):
os.makedirs(path)
else:
if getuser() != find_owner(path):
raise onionrexceptions.InsecureDirectoryUsage(
"Directory " + path +
" already exists and is not owned by the same user")
os.chmod(home, stat.S_IRWXU)


+ 1
- 1
tests/runtime-result.txt View File

@ -1 +1 @@
1606002757
1606103134

Loading…
Cancel
Save