Juan Hernandez has uploaded a new change for review. Change subject: BZ#856167 - Validate downloaded SSH public key ......................................................................
BZ#856167 - Validate downloaded SSH public key During registration the SSH public key of the engine is downloaded, but it is not verified in any way. In some situations we can be getting garbage from the server, for example when we connect to an HTTPS server using the HTTP protocol. That garbage can end up in the uthorized_keys file. This patch changes deployUtils.py so that it verifies that what we get looks like a valid SSH public key before saving it to the file. Change-Id: Ic6873690534f431867859e91b5fb6b1f693155aa Signed-off-by: Juan Hernandez <[email protected]> --- M vdsm_reg/deployUtil.py.in 1 file changed, 21 insertions(+), 0 deletions(-) git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/18/8018/1 diff --git a/vdsm_reg/deployUtil.py.in b/vdsm_reg/deployUtil.py.in index bbda70e..3943171 100644 --- a/vdsm_reg/deployUtil.py.in +++ b/vdsm_reg/deployUtil.py.in @@ -94,6 +94,18 @@ "'":'~' } +# Regular expression used to validate content of SSH public keys: +SSH_PUBLIC_KEY_RE = re.compile(flags=re.VERBOSE, pattern=r""" + ^ + \s* + ssh-(rsa|dss) + \s+ + ([A-Za-z0-9+/]+={0,2}) + (\s+[^\s]+)? + \s* + $ +""") + # # Script interface to use, required for # multi-engine version support. @@ -676,6 +688,15 @@ """ fReturn = True logging.debug('handleSSHKey start') + + # Check that the given string is a valid SSH key as in some + # situations we get from the engine valid HTTP responses that don't + # contain the SSH key but an HTML error message: + if fReturn: + if not SSH_PUBLIC_KEY_RE.match(strKey): + fReturn = False + logging.debug("handleSSHKey: the string \"%s\" isn't a valid SSH public key" % strKey) + if not os.path.exists(P_ROOT_SSH): logging.debug("handleSSHKey: creating .ssh dir.") try: -- To view, visit http://gerrit.ovirt.org/8018 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ic6873690534f431867859e91b5fb6b1f693155aa Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Juan Hernandez <[email protected]> _______________________________________________ vdsm-patches mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
