Server (assimilator): add random string to result file names

Otherwise, result file names can be inferred from result names. An attacker with task A could find the name of the "wingman" task B, upload fake files as B's output files, upload the same files as A's output files, report A as completed, and get unearned credit.
2015-11-16 19:28:30 -08:00 · 2015-11-16 19:28:30 -08:00 · 153f6600d0
parent 582f389f39
commit 153f6600d0
4 changed files with 9 additions and 10 deletions
--- a/sched/sample_assimilator.cpp
+++ b/sched/sample_assimilator.cpp
@ -45,8 +45,7 @@ int write_error(char* p) {
    return 0;
 }

-int assimilate_handler_init(int argc, char** argv) {
-    // handle project specific arguments here
+int assimilate_handler_init(int, char**) {
    return 0;
 }

--- a/sched/sample_dummy_assimilator.cpp
+++ b/sched/sample_dummy_assimilator.cpp
@ -31,8 +31,7 @@
 using std::vector;
 using std::string;

-int assimilate_handler_init(int argc, char** argv) {
-    // handle project specific arguments here
+int assimilate_handler_init(int, char**) {
    return 0;
 }

--- a/sched/single_job_assimilator.cpp
+++ b/sched/single_job_assimilator.cpp
@ -39,8 +39,7 @@
 using std::vector;
 using std::string;

-int assimilate_handler_init(int argc, char** argv) {
-    // handle project specific arguments here
+int assimilate_handler_init(int, char**) {
    return 0;
 }

--- a/tools/backend_lib.cpp
+++ b/tools/backend_lib.cpp
@ -51,6 +51,8 @@

 using std::string;

+// the random part of output filenames needs to be hard to guess
+//
 static struct random_init {
    random_init() {
        srand48(getpid() + time(0));
@ -153,14 +155,16 @@ int create_result(
    int priority_increase
 ) {
    DB_RESULT result;
-    char base_outfile_name[256];
+    char base_outfile_name[MAXPATHLEN];
    char result_template[BLOB_SIZE];
    int retval;

    initialize_result(result, wu);
+    result.random = lrand48();
+
    result.priority += priority_increase;
    sprintf(result.name, "%s_%s", wu.name, result_name_suffix);
-    sprintf(base_outfile_name, "%s_", result.name);
+    sprintf(base_outfile_name, "%s_%ld", result.name, lrand48());
    retval = read_filename(
        result_template_filename, result_template, sizeof(result_template)
    );
@ -189,8 +193,6 @@ int create_result(
    }
    strlcpy(result.xml_doc_in, result_template, sizeof(result.xml_doc_in));

-    result.random = lrand48();
-
    if (query_string) {
        result.db_print_values(query_string);
    } else {