[Git][NTPsec/ntpsec][master] Fixed potential security vulnerability and added additional comments.
Ian Bruene
gitlab at mg.gitlab.com
Mon Jan 1 21:14:29 UTC 2018
Ian Bruene pushed to branch master at NTPsec / ntpsec
Commits:
8c9f6429 by Ian Bruene at 2018-01-01T15:13:31-06:00
Fixed potential security vulnerability and added additional comments.
- - - - -
1 changed file:
- pylib/util.py
Changes:
=====================================
pylib/util.py
=====================================
--- a/pylib/util.py
+++ b/pylib/util.py
@@ -556,11 +556,17 @@ canonicalization_cache = Cache()
import subprocess
-
+# Hack to avoid occasional multi-second long delays when doing a DNS
+# lookup. Delays of that length will cause the SNMP master agent to drop
+# the connection. Uaccceptable.
+# Unfortunately there is no good way to timeout a function in Python, so
+# we are left with one of the ugly options that happened to work.
def timed_canonicalize_dns(inhost, family=socket.AF_UNSPEC, ttl=1.0):
resname = canonicalization_cache.get(inhost)
if resname is not None:
return resname
+ if "'" in inhost: # Invalid IP address that will break the function.
+ return inhost # Potentially hostile.
cmd = "import ntp.util; print(ntp.util.canonicalize_dns('%s', %s))"
cmd = cmd % (str(inhost), str(family))
p = subprocess.Popen(["python", "-c", cmd],
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/8c9f64298f78079cbe58345bc88de699295e61d8
---
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/8c9f64298f78079cbe58345bc88de699295e61d8
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20180101/2236e97a/attachment.html>
More information about the vc
mailing list