提交 eb892701 编写于 作者: D Daniel P. Berrange

Block all use of getenv with syntax-check

The use of getenv is typically insecure, and we want people
to use our wrappers, to force them to think about setuid
needs.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 71b21f12)
上级 61fe5eeb
......@@ -851,6 +851,11 @@ sc_prohibit_unbounded_arrays_in_rpc:
halt='Arrays in XDR must have a upper limit set for <NNN>' \
$(_sc_search_regexp)
sc_prohibit_getenv:
@prohibit='\b(secure_)?getenv *\(' \
exclude='exempt from syntax-check' \
halt='Use virGetEnv{Allow,Block}SUID instead of getenv' \
$(_sc_search_regexp)
# We don't use this feature of maint.mk.
prev_version_file = /dev/null
......@@ -1020,3 +1025,6 @@ exclude_file_name_regexp--sc_prohibit_include_public_headers_brackets = \
exclude_file_name_regexp--sc_prohibit_int_ijk = \
^(src/remote_protocol-structs|src/remote/remote_protocol.x|cfg.mk|include/)$
exclude_file_name_regexp--sc_prohibit_getenv = \
^tests/.*\.[ch]$$
......@@ -2140,7 +2140,7 @@ cleanup:
*/
const char *virGetEnvBlockSUID(const char *name)
{
return secure_getenv(name);
return secure_getenv(name); /* exempt from syntax-check-rules */
}
......@@ -2154,7 +2154,7 @@ const char *virGetEnvBlockSUID(const char *name)
*/
const char *virGetEnvAllowSUID(const char *name)
{
return getenv(name);
return getenv(name); /* exempt from syntax-check-rules */
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册