Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

overwrites /dev/null with pycurl cookie jar #34

Closed
rwmjones opened this issue Mar 16, 2021 · 5 comments
Closed

overwrites /dev/null with pycurl cookie jar #34

rwmjones opened this issue Mar 16, 2021 · 5 comments

Comments

@rwmjones
Copy link

rwmjones commented Mar 16, 2021

With recent PyCurl (at least in Fedora 34) /dev/null is overwritten if you use the SDK as root.

The reason is because of the following code:

curl = pycurl.Curl()
curl.setopt(pycurl.COOKIEFILE, '/dev/null')
curl.setopt(pycurl.COOKIEJAR, '/dev/null')

You can demonstrate this pretty easily with a tiny test program (NB be aware before running this that it will destroy your /dev/null and make your system unusable!)

$ cat curl.py
#!/usr/bin/python3

import pycurl

curl = pycurl.Curl()
curl.setopt(pycurl.COOKIEFILE, '/dev/null')
curl.setopt(pycurl.COOKIEJAR, '/dev/null')

$ sudo ./curl.py 

$ ll /dev/null 
-rw-r--r--. 1 root root 136 Mar 16 13:40 /dev/null

Downstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1939387#c6

@nyoxi
Copy link
Member

nyoxi commented Mar 16, 2021

I am wondering why this is needed in the first place, because it should be disabled by default: https://curl.se/libcurl/c/CURLOPT_COOKIEJAR.html
But I assume user can override it with environment variable maybe?

It looks like there is a bug in pycurl wrapper also, because you cannot "undefine" the value. Using None or 0 does not seem to work and produces errors:

...
Traceback (most recent call last):
  File "/tmp/tmp.6pLX6iXQx8/curl.py", line 7, in <module>
    curl.setopt(pycurl.COOKIEFILE, None)
TypeError: unsetopt() is not supported for this option
...
Traceback (most recent call last):
  File "/tmp/tmp.6pLX6iXQx8/curl.py", line 7, in <module>
    curl.setopt(pycurl.COOKIEFILE, 0)
TypeError: integers are not supported for this option

@rwmjones
Copy link
Author

rwmjones commented Mar 16, 2021

I checked with the C API and it does allow you to set the cookie jar to NULL.

(My previous comment here was wrong)

For COOKIEJAR, you can either set this to - or a filename, and for any filename it was simply overwrite the file, so that's bad.

If the aim is to enable cookies in the handle, but without writing to any file, then you should set COOKIEFILE to "" (empty string), which in the current implementation calls Curl_cookie_init to initialize cookies, but does not read or write any cookies.

IOW this change:

- curl.setopt(pycurl.COOKIEFILE, '/dev/null')
+ curl.setopt(pycurl.COOKIEFILE, '')
- curl.setopt(pycurl.COOKIEJAR, '/dev/null')

@sandrobonazzola
Copy link
Member

@rwmjones hi, can you please open a bz on https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine-sdk-python ?
Thanks.

@rwmjones
Copy link
Author

rwmjones commented May 4, 2021

BZ says I must select a component for the bug, but no components are shown in the drop-down list, so I cannot file this bug. If you can file it then I will link it to our RHEL bug.

Apparently you need to press ctrl+shift+A to get it to list the components. The bug is: https://bugzilla.redhat.com/show_bug.cgi?id=1956750

@sandrobonazzola
Copy link
Member

Thanks @rwmjones closing the ticket here, we'll track progress on the bz at https://bugzilla.redhat.com/show_bug.cgi?id=1956750

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants