From a0c5a6cdb6f94cdd08fc0f3eb7480a1199918c59 Mon Sep 17 00:00:00 2001 From: epriestley Date: Wed, 3 Jul 2013 15:13:45 -0700 Subject: [PATCH] Use %P for all sensitive command construction in Phabricator Summary: Depends on D6366. Applies %P everywhere. Test Plan: Ran various daemon commands via scripts, e.g. `bin/repository pull`, `bin/storage dump`. Reviewers: btrahan, mbishopim3 Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D6367 --- .../storage/PhabricatorRepository.php | 32 +++++++++---------- ...abricatorStorageManagementDumpWorkflow.php | 5 ++- 2 files changed, 18 insertions(+), 19 deletions(-) diff --git a/src/applications/repository/storage/PhabricatorRepository.php b/src/applications/repository/storage/PhabricatorRepository.php index c360dd5b0f..1ea274fc47 100644 --- a/src/applications/repository/storage/PhabricatorRepository.php +++ b/src/applications/repository/storage/PhabricatorRepository.php @@ -170,17 +170,17 @@ final class PhabricatorRepository extends PhabricatorRepositoryDAO array_unshift( $args, csprintf( - 'ssh -l %s -i %s', - $this->getSSHLogin(), - $this->getSSHKeyfile())); + 'ssh -l %P -i %P', + new PhutilOpaqueEnvelope($this->getSSHLogin()), + new PhutilOpaqueEnvelope($this->getSSHKeyfile()))); break; case PhabricatorRepositoryType::REPOSITORY_TYPE_GIT: $command = call_user_func_array( 'csprintf', array_merge( array( - "(ssh-add %s && HOME=%s git {$pattern})", - $this->getSSHKeyfile(), + "(ssh-add %P && HOME=%s git {$pattern})", + new PhutilOpaqueEnvelope($this->getSSHKeyfile()), $empty, ), $args)); @@ -192,9 +192,9 @@ final class PhabricatorRepository extends PhabricatorRepositoryDAO array_unshift( $args, csprintf( - 'ssh -l %s -i %s', - $this->getSSHLogin(), - $this->getSSHKeyfile())); + 'ssh -l %P -i %P', + new PhutilOpaqueEnvelope($this->getSSHLogin()), + new PhutilOpaqueEnvelope($this->getSSHKeyfile()))); break; default: throw new Exception("Unrecognized version control system."); @@ -207,13 +207,13 @@ final class PhabricatorRepository extends PhabricatorRepositoryDAO "--non-interactive ". "--no-auth-cache ". "--trust-server-cert ". - "--username %s ". - "--password %s ". + "--username %P ". + "--password %P ". $pattern; array_unshift( $args, - $this->getDetail('http-login'), - $this->getDetail('http-pass')); + new PhutilOpaqueEnvelope($this->getDetail('http-login')), + new PhutilOpaqueEnvelope($this->getDetail('http-pass'))); break; default: throw new Exception( @@ -226,13 +226,13 @@ final class PhabricatorRepository extends PhabricatorRepositoryDAO "svn ". "--non-interactive ". "--no-auth-cache ". - "--username %s ". - "--password %s ". + "--username %P ". + "--password %P ". $pattern; array_unshift( $args, - $this->getDetail('http-login'), - $this->getDetail('http-pass')); + new PhutilOpaqueEnvelope($this->getDetail('http-login')), + new PhutilOpaqueEnvelope($this->getDetail('http-pass'))); break; default: throw new Exception( diff --git a/src/infrastructure/storage/management/workflow/PhabricatorStorageManagementDumpWorkflow.php b/src/infrastructure/storage/management/workflow/PhabricatorStorageManagementDumpWorkflow.php index 464ac862bb..046ff51c64 100644 --- a/src/infrastructure/storage/management/workflow/PhabricatorStorageManagementDumpWorkflow.php +++ b/src/infrastructure/storage/management/workflow/PhabricatorStorageManagementDumpWorkflow.php @@ -33,9 +33,8 @@ final class PhabricatorStorageManagementDumpWorkflow $password = $api->getPassword(); if ($password) { - $password = $password->openEnvelope(); - if (strlen($password)) { - $flag_password = csprintf('-p%s', $password); + if (strlen($password->openEnvelope())) { + $flag_password = csprintf('-p%P', $password); } }