Mercurial > p > roundup > code
annotate scripts/server-ctl @ 6375:c4371ec7d1c0
Call verifyPassword even if user does not exist.
Address timing attack caused by not doing the password check if the
user doesn't exist. Can expose valid usernames. Really only useful for
a tracker that doesn't allow anonymous access to issues. Issues
usually show usernames as part of the message display.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 06 Apr 2021 22:51:55 -0400 |
| parents | 311ad623e2d1 |
| children |
| rev | line source |
|---|---|
|
1646
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1 #!/bin/sh |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
3 # |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
4 # Configuration |
|
3595
311ad623e2d1
use server configuration file [SF#1443805]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
1646
diff
changeset
|
5 # |
|
311ad623e2d1
use server configuration file [SF#1443805]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
1646
diff
changeset
|
6 CONFFILE="/var/roundup/server-config.ini" |
|
1646
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
7 |
|
3595
311ad623e2d1
use server configuration file [SF#1443805]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
1646
diff
changeset
|
8 # this will end up with extra space, but it should be ignored in the script |
|
311ad623e2d1
use server configuration file [SF#1443805]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
1646
diff
changeset
|
9 PIDFILE=`grep '^pidfile' ${CONFFILE} | awk -F = '{print $2}' ` |
|
311ad623e2d1
use server configuration file [SF#1443805]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
1646
diff
changeset
|
10 SERVER="/usr/local/bin/roundup-server -C ${CONFFILE}" |
|
1646
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
11 ERROR=0 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
12 ARGV="$@" |
|
3595
311ad623e2d1
use server configuration file [SF#1443805]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
1646
diff
changeset
|
13 if [ "x$ARGV" = "x" ] ; then |
|
1646
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
14 ARGS="help" |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
15 fi |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
16 |
|
3595
311ad623e2d1
use server configuration file [SF#1443805]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
1646
diff
changeset
|
17 if [ -z "${PIDFILE}" ] ; then |
|
311ad623e2d1
use server configuration file [SF#1443805]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
1646
diff
changeset
|
18 echo "pidfile option must be set in configuration file" |
|
311ad623e2d1
use server configuration file [SF#1443805]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
1646
diff
changeset
|
19 exit 1 |
|
311ad623e2d1
use server configuration file [SF#1443805]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
1646
diff
changeset
|
20 fi |
|
311ad623e2d1
use server configuration file [SF#1443805]
Alexander Smishlajev <a1s@users.sourceforge.net>
parents:
1646
diff
changeset
|
21 |
|
1646
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
22 for ARG in $@ $ARGS |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
23 do |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
24 # check for pidfile |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
25 if [ -f $PIDFILE ] ; then |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
26 PID=`cat $PIDFILE` |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
27 if [ "x$PID" != "x" ] && kill -0 $PID 2>/dev/null ; then |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
28 STATUS="roundup-server (pid $PID) running" |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
29 RUNNING=1 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
30 else |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
31 STATUS="roundup-server (pid $PID?) not running" |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
32 RUNNING=0 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
33 fi |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
34 else |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
35 STATUS="roundup-server (no pid file) not running" |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
36 RUNNING=0 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
37 fi |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
38 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
39 case $ARG in |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
40 start) |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
41 if [ $RUNNING -eq 1 ] ; then |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
42 echo "$0 $ARG: roundup-server (pid $PID) already running" |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
43 continue |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
44 fi |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
45 if $SERVER ; then |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
46 echo "$0 $ARG: roundup-server started" |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
47 else |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
48 echo "$0 $ARG: roundup-server could not be started" |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
49 ERROR=1 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
50 fi |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
51 ;; |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
52 condstart) |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
53 if [ $RUNNING -eq 1 ] ; then |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
54 continue |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
55 fi |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
56 if $SERVER ; then |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
57 echo "$0 $ARG: roundup-server started" |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
58 else |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
59 echo "$0 $ARG: roundup-server could not be started" |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
60 ERROR=1 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
61 fi |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
62 ;; |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
63 stop) |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
64 if [ $RUNNING -eq 0 ] ; then |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
65 echo "$0 $ARG: $STATUS" |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
66 continue |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
67 fi |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
68 if kill $PID ; then |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
69 echo "$0 $ARG: roundup-server stopped" |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
70 else |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
71 echo "$0 $ARG: roundup-server could not be stopped" |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
72 ERROR=2 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
73 fi |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
74 ;; |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
75 status) |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
76 echo $STATUS |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
77 ;; |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
78 *) |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
79 echo "usage: $0 (start|condstart|stop|status)" |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
80 cat <<EOF |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
81 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
82 start - start roundup-server |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
83 condstart - start roundup-server if it's not running |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
84 stop - stop roundup-server |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
85 status - display roundup-server status |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
86 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
87 EOF |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
88 ERROR=3 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
89 ;; |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
90 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
91 esac |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
92 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
93 done |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
94 |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
95 exit $ERROR |
|
adc076b825a1
*** empty log message ***
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
96 |