Rooba
/
boinc
mirror of https://github.com/BOINC/boinc.git
1
0
Fork 0
Code Issues 1 Packages Projects Releases Wiki Activity

Server (assimilator): add random string to result file names 

Otherwise, result file names can be inferred from result names.
An attacker with task A could find the name of the "wingman" task B,
upload fake files as B's output files,
upload the same files as A's output files,
report A as completed, and get unearned credit.
This commit is contained in:
David Anderson 2015-11-16 19:28:30 -08:00
parent 582f389f39
commit 153f6600d0
4 changed files with 9 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sched/sample_assimilator.cpp
View File

@ -45,8 +45,7 @@ int write_error(char* p) {
return 0; return 0;
} }
int assimilate_handler_init(int argc, char** argv) { int assimilate_handler_init(int, char**) {
// handle project specific arguments here
return 0; return 0;
} }

3
sched/sample_dummy_assimilator.cpp
View File

@ -31,8 +31,7 @@
using std::vector; using std::vector;
using std::string; using std::string;
int assimilate_handler_init(int argc, char** argv) { int assimilate_handler_init(int, char**) {
// handle project specific arguments here
return 0; return 0;
} }

3
sched/single_job_assimilator.cpp
View File

@ -39,8 +39,7 @@
using std::vector; using std::vector;
using std::string; using std::string;
int assimilate_handler_init(int argc, char** argv) { int assimilate_handler_init(int, char**) {
// handle project specific arguments here
return 0; return 0;
} }

10
tools/backend_lib.cpp
View File

@ -51,6 +51,8 @@
using std::string; using std::string;
// the random part of output filenames needs to be hard to guess
//
static struct random_init { static struct random_init {
random_init() { random_init() {
srand48(getpid() + time(0)); srand48(getpid() + time(0));
@ -153,14 +155,16 @@ int create_result(
int priority_increase int priority_increase
) { ) {
DB_RESULT result; DB_RESULT result;
char base_outfile_name[256]; char base_outfile_name[MAXPATHLEN];
char result_template[BLOB_SIZE]; char result_template[BLOB_SIZE];
int retval; int retval;
initialize_result(result, wu); initialize_result(result, wu);
result.random = lrand48();
result.priority += priority_increase; result.priority += priority_increase;
sprintf(result.name, "%s_%s", wu.name, result_name_suffix); sprintf(result.name, "%s_%s", wu.name, result_name_suffix);
sprintf(base_outfile_name, "%s_", result.name); sprintf(base_outfile_name, "%s_%ld", result.name, lrand48());
retval = read_filename( retval = read_filename(
result_template_filename, result_template, sizeof(result_template) result_template_filename, result_template, sizeof(result_template)
); );
@ -189,8 +193,6 @@ int create_result(
} }
strlcpy(result.xml_doc_in, result_template, sizeof(result.xml_doc_in)); strlcpy(result.xml_doc_in, result_template, sizeof(result.xml_doc_in));
result.random = lrand48();
if (query_string) { if (query_string) {
result.db_print_values(query_string); result.db_print_values(query_string);
} else { } else {