This repository has been archived by the owner on Sep 22, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy path3000.1_CVE-2020-11651.patch
101 lines (97 loc) · 3.54 KB
/
3000.1_CVE-2020-11651.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
diff --git a/salt/master.py b/salt/master.py
index fb2e0c3..07c182a 100644
--- a/salt/master.py
+++ b/salt/master.py
@@ -1088,12 +1088,13 @@ class MWorker(salt.utils.process.SignalHandlingProcess):
'''
log.trace('Clear payload received with command %s', load['cmd'])
cmd = load['cmd']
- if cmd.startswith('__'):
- return False
+ method = self.clear_funcs.get_method(cmd)
+ if not method:
+ return {}, {'fun': 'send_clear'}
if self.opts['master_stats']:
start = time.time()
self.stats[cmd]['runs'] += 1
- ret = getattr(self.clear_funcs, cmd)(load), {'fun': 'send_clear'}
+ ret = method(load), {'fun': 'send_clear'}
if self.opts['master_stats']:
self._post_stats(start, cmd)
return ret
@@ -1111,8 +1112,9 @@ class MWorker(salt.utils.process.SignalHandlingProcess):
return {}
cmd = data['cmd']
log.trace('AES payload received with command %s', data['cmd'])
- if cmd.startswith('__'):
- return False
+ method = self.aes_funcs.get_method(cmd)
+ if not method:
+ return {}, {'fun': 'send'}
if self.opts['master_stats']:
start = time.time()
self.stats[cmd]['runs'] += 1
@@ -1143,13 +1145,44 @@ class MWorker(salt.utils.process.SignalHandlingProcess):
self.__bind()
+class TransportMethods(object):
+ '''
+ Expose methods to the transport layer, methods with their names found in
+ the class attribute 'expose_methods' will be exposed to the transport layer
+ via 'get_method'.
+ '''
+
+ expose_methods = ()
+
+ def get_method(self, name):
+ '''
+ Get a method which should be exposed to the transport layer
+ '''
+ if name in self.expose_methods:
+ try:
+ return getattr(self, name)
+ except AttributeError:
+ log.error("Expose method not found: %s", name)
+ else:
+ log.error("Requested method not exposed: %s", name)
+
+
# TODO: rename? No longer tied to "AES", just "encrypted" or "private" requests
-class AESFuncs(object):
+class AESFuncs(TransportMethods):
'''
Set up functions that are available when the load is encrypted with AES
'''
- # The AES Functions:
- #
+
+ expose_methods = (
+ 'verify_minion', '_master_tops', '_ext_nodes', '_master_opts',
+ '_mine_get', '_mine', '_mine_delete', '_mine_flush', '_file_recv',
+ '_pillar', '_minion_event', '_handle_minion_event', '_return',
+ '_syndic_return', 'minion_runner', 'pub_ret', 'minion_pub',
+ 'minion_publish', 'revoke_auth', '_serve_file',
+ '_file_find', '_file_hash', '_file_hash_and_stat', '_file_list',
+ '_file_list_emptydirs', '_dir_list', '_symlink_list', '_file_envs',
+ )
+
def __init__(self, opts):
'''
Create a new AESFuncs
@@ -1863,11 +1896,18 @@ class AESFuncs(object):
return ret, {'fun': 'send'}
-class ClearFuncs(object):
+class ClearFuncs(TransportMethods):
'''
Set up functions that are safe to execute when commands sent to the master
without encryption and authentication
'''
+
+ # These methods will be exposed to the transport layer by
+ # MWorker._handle_clear
+ expose_methods = (
+ 'ping', 'publish', 'get_token', 'mk_token', 'wheel', 'runner',
+ )
+
# The ClearFuncs object encapsulates the functions that can be executed in
# the clear:
# publish (The publish from the LocalClient)