making -k option obsolete due to security issue, replace by PYRO_HMAC…

…_KEY env var. Fixes #199
irmen · Apr 3, 2018 · a9544e0 · a9544e0
1 parent 220057d
commit a9544e0
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 0 deletions.
diff --git a/src/Pyro4/naming.py b/src/Pyro4/naming.py
@@ -10,6 +10,7 @@
 import logging
 import socket
 import sys
+import os
 import time
 import threading
 from Pyro4.errors import NamingError, PyroError, ProtocolError
@@ -552,6 +553,10 @@ def main(args=None):
     if options.key:
         warnings.warn("using -k to supply HMAC key on the command line is a security problem "
                       "and is deprecated since Pyro 4.72. See the documentation for an alternative.")
+    if "PYRO_HMAC_KEY" in os.environ:
+        if options.key:
+            raise SystemExit("error: don't use -k and PYRO_HMAC_KEY at the same time")
+        options.key = os.environ["PYRO_HMAC_KEY"]
     startNSloop(options.host, options.port, enableBroadcast=options.enablebc,
                 bchost=options.bchost, bcport=options.bcport, unixsocket=options.unixsocket,
                 nathost=options.nathost, natport=options.natport, storage=options.storage,

diff --git a/src/Pyro4/nsc.py b/src/Pyro4/nsc.py
@@ -6,6 +6,7 @@
 
 from __future__ import print_function
 import sys
+import os
 import warnings
 from Pyro4 import errors, naming
 
@@ -123,6 +124,10 @@ def main(args=None):
     if options.key:
         warnings.warn("using -k to supply HMAC key on the command line is a security problem "
                       "and is deprecated since Pyro 4.72. See the documentation for an alternative.")
+    if "PYRO_HMAC_KEY" in os.environ:
+        if options.key:
+            raise SystemExit("error: don't use -k and PYRO_HMAC_KEY at the same time")
+        options.key = os.environ["PYRO_HMAC_KEY"]
     if not args or args[0] not in ("register", "remove", "removematching", "list", "listmatching", "lookup",
                                    "listmeta_all", "listmeta_any", "setmeta", "ping"):
         parser.error("invalid or missing command")

diff --git a/src/Pyro4/test/echoserver.py b/src/Pyro4/test/echoserver.py
@@ -14,6 +14,7 @@
 
 from __future__ import print_function
 import sys
+import os
 import time
 import warnings
 import threading
@@ -157,6 +158,10 @@ def main(args=None, returnWithoutLooping=False):
     if options.key:
         warnings.warn("using -k to supply HMAC key on the command line is a security problem "
                       "and is deprecated since Pyro 4.72. See the documentation for an alternative.")
+    if "PYRO_HMAC_KEY" in os.environ:
+        if options.key:
+            raise SystemExit("error: don't use -k and PYRO_HMAC_KEY at the same time")
+        options.key = os.environ["PYRO_HMAC_KEY"]
 
     if options.verbose:
         options.quiet = False

diff --git a/src/Pyro4/utils/flameserver.py b/src/Pyro4/utils/flameserver.py
@@ -16,6 +16,7 @@
 
 from __future__ import print_function
 import sys
+import os
 import warnings
 from Pyro4.configuration import config
 from Pyro4 import core
@@ -37,6 +38,11 @@ def main(args=None, returnWithoutLooping=False):
         warnings.warn("using -k to supply HMAC key on the command line is a security problem "
                       "and is deprecated since Pyro 4.72. See the documentation for an alternative.")
 
+    if "PYRO_HMAC_KEY" in os.environ:
+        if options.key:
+            raise SystemExit("error: don't use -k and PYRO_HMAC_KEY at the same time")
+        options.key = os.environ["PYRO_HMAC_KEY"]
+
     if not options.quiet:
         print("Starting Pyro Flame server.")
 

diff --git a/src/Pyro4/utils/httpgateway.py b/src/Pyro4/utils/httpgateway.py
@@ -26,6 +26,7 @@
 import sys
 import re
 import cgi
+import os
 import uuid
 import warnings
 from wsgiref.simple_server import make_server
@@ -320,6 +321,15 @@ def main(args=None):
     if options.pyrokey or options.gatewaykey:
         warnings.warn("using -k and/or -g to supply keys on the command line is a security problem "
                       "and is deprecated since Pyro 4.72. See the documentation for an alternative.")
+    if "PYRO_HMAC_KEY" in os.environ:
+        if options.pyrokey:
+            raise SystemExit("error: don't use -k and PYRO_HMAC_KEY at the same time")
+        options.pyrokey = os.environ["PYRO_HMAC_KEY"]
+    if "PYRO_HTTPGATEWAY_KEY" in os.environ:
+        if options.gatewaykey:
+            raise SystemExit("error: don't use -g and PYRO_HTTPGATEWAY_KEY at the same time")
+        options.gatewaykey = os.environ["PYRO_HTTPGATEWAY_KEY"]
+
     pyro_app.hmac_key = (options.pyrokey or "").encode("utf-8")
     pyro_app.gateway_key = (options.gatewaykey or "").encode("utf-8")
     pyro_app.ns_regex = options.expose