[Libosinfo] [libosinfo PATCH 2/2] tools, install-script: Do not accept user & admin password via --config
Fabiano Fidêncio
fidencio at redhat.com
Fri Jul 5 08:27:20 UTC 2019
As passing user & admin password via command line is a low impact CVE,
let's error out when it's done and advertise the users to use
--config-file instead.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
---
tools/osinfo-install-script.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c
index efa96ee..3da4a69 100644
--- a/tools/osinfo-install-script.c
+++ b/tools/osinfo-install-script.c
@@ -85,6 +85,15 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED,
val++;
key = g_strndup(value, len);
+ if (g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD) ||
+ g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD)) {
+ g_set_error(error, OSINFO_ERROR, 0,
+ _("When setting user or admin password, use "
+ "--config-file instead.\n"));
+ g_free(key);
+ return FALSE;
+ }
+
osinfo_entity_set_param(OSINFO_ENTITY(config),
key,
val);
@@ -520,6 +529,8 @@ script. Defaults to C<media>, but can also be C<network>.
Set the configuration parameter C<key> to C<value>.
+Note: this option has been deprecated, use B<--config-file=> instead.
+
=item B<--config-file=config-file>
Set the configurations parameters according to the config-file passed.
--
2.21.0
More information about the Libosinfo
mailing list