This repository has been archived by the owner on Sep 22, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy path2016.11.10_CVE-2020-11651.patch
104 lines (98 loc) · 3.77 KB
/
2016.11.10_CVE-2020-11651.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
diff --git a/salt/master.py b/salt/master.py
index 740912e..61996a7 100644
--- a/salt/master.py
+++ b/salt/master.py
@@ -905,10 +905,12 @@ class MWorker(SignalHandlingMultiprocessingProcess):
:return: The result of passing the load to a function in ClearFuncs corresponding to
the command specified in the load's 'cmd' key.
'''
- log.trace('Clear payload received with command {cmd}'.format(**load))
- if load['cmd'].startswith('__'):
- return False
- return getattr(self.clear_funcs, load['cmd'])(load), {'fun': 'send_clear'}
+ log.trace('Clear payload received with command %s', load['cmd'])
+ cmd = load['cmd']
+ method = self.clear_funcs.get_method(cmd)
+ if not method:
+ return {}, {'fun': 'send_clear'}
+ return method(load), {'fun': 'send_clear'}
def _handle_aes(self, data):
'''
@@ -921,9 +923,11 @@ class MWorker(SignalHandlingMultiprocessingProcess):
if 'cmd' not in data:
log.error('Received malformed command {0}'.format(data))
return {}
- log.trace('AES payload received with command {0}'.format(data['cmd']))
- if data['cmd'].startswith('__'):
- return False
+ cmd = data['cmd']
+ log.trace('AES payload received with command %s', data['cmd'])
+ method = self.aes_funcs.get_method(cmd)
+ if not method:
+ return {}, {'fun': 'send'}
return self.aes_funcs.run_func(data['cmd'], data)
def run(self):
@@ -940,13 +944,44 @@ class MWorker(SignalHandlingMultiprocessingProcess):
self.__bind()
+class TransportMethods(object):
+ '''
+ Expose methods to the transport layer, methods with their names found in
+ the class attribute 'expose_methods' will be exposed to the transport layer
+ via 'get_method'.
+ '''
+
+ expose_methods = ()
+
+ def get_method(self, name):
+ '''
+ Get a method which should be exposed to the transport layer
+ '''
+ if name in self.expose_methods:
+ try:
+ return getattr(self, name)
+ except AttributeError:
+ log.error("Expose method not found: %s", name)
+ else:
+ log.error("Requested method not exposed: %s", name)
+
+
# TODO: rename? No longer tied to "AES", just "encrypted" or "private" requests
-class AESFuncs(object):
+class AESFuncs(TransportMethods):
'''
Set up functions that are available when the load is encrypted with AES
'''
- # The AES Functions:
- #
+
+ expose_methods = (
+ 'verify_minion', '_master_tops', '_ext_nodes', '_master_opts',
+ '_mine_get', '_mine', '_mine_delete', '_mine_flush', '_file_recv',
+ '_pillar', '_minion_event', '_handle_minion_event', '_return',
+ '_syndic_return', 'minion_runner', 'pub_ret', 'minion_pub',
+ 'minion_publish', 'revoke_auth', 'run_func', '_serve_file',
+ '_file_find', '_file_hash', '_file_find_and_stat', '_file_list',
+ '_file_list_emptydirs', '_dir_list', '_symlink_list', '_file_envs',
+ )
+
def __init__(self, opts):
'''
Create a new AESFuncs
@@ -1660,11 +1695,18 @@ class AESFuncs(object):
return ret, {'fun': 'send'}
-class ClearFuncs(object):
+class ClearFuncs(TransportMethods):
'''
Set up functions that are safe to execute when commands sent to the master
without encryption and authentication
'''
+
+ # These methods will be exposed to the transport layer by
+ # MWorker._handle_clear
+ expose_methods = (
+ 'ping', 'publish', 'get_token', 'mk_token', 'wheel', 'runner',
+ )
+
# The ClearFuncs object encapsulates the functions that can be executed in
# the clear:
# publish (The publish from the LocalClient)