Bug 1953476

Summary: overwrites /dev/null with pycurl cookie jar
Product: [oVirt] ovirt-engine-sdk-python Reporter: Ori Liel <oliel>
Component: GeneralAssignee: Ori Liel <oliel>
Status: CLOSED DUPLICATE QA Contact: Guilherme Santos <gdeolive>
Severity: medium Docs Contact:
Priority: medium    
Version: ---CC: bugs, juan.hernandez, mperina
Target Milestone: ovirt-4.4.7Flags: pm-rhel: ovirt-4.4+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-05 11:56:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ori Liel 2021-04-26 08:14:04 UTC 
With recent PyCurl (at least in Fedora 34) /dev/null is overwritten if you use the SDK as root.

The reason is because of the following code:
ovirt-engine-sdk/sdk/lib/ovirtsdk4/__init__.py

Lines 392 to 394 in 1bb6c5e

 curl = pycurl.Curl() 
 curl.setopt(pycurl.COOKIEFILE, '/dev/null') 
 curl.setopt(pycurl.COOKIEJAR, '/dev/null') 
You can demonstrate this pretty easily with a tiny test program (NB be aware before running this that it will destroy your /dev/null and make your system unusable!)

$ cat curl.py
#!/usr/bin/python3

import pycurl

curl = pycurl.Curl()
curl.setopt(pycurl.COOKIEFILE, '/dev/null')
curl.setopt(pycurl.COOKIEJAR, '/dev/null')

$ sudo ./curl.py 

$ ll /dev/null 
-rw-r--r--. 1 root root 136 Mar 16 13:40 /dev/null
Downstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1939387#c6


nyoxi commented on Mar 16
I am wondering why this is needed in the first place, because it should be disabled by default: https://curl.se/libcurl/c/CURLOPT_COOKIEJAR.html
But I assume user can override it with environment variable maybe?

It looks like there is a bug in pycurl wrapper also, because you cannot "undefine" the value. Using None or 0 does not seem to work and produces errors:

...
Traceback (most recent call last):
  File "/tmp/tmp.6pLX6iXQx8/curl.py", line 7, in <module>
    curl.setopt(pycurl.COOKIEFILE, None)
TypeError: unsetopt() is not supported for this option
...
Traceback (most recent call last):
  File "/tmp/tmp.6pLX6iXQx8/curl.py", line 7, in <module>
    curl.setopt(pycurl.COOKIEFILE, 0)
TypeError: integers are not supported for this option
 

rwmjones commented on Mar 16 • 
I checked with the C API and it does allow you to set the cookie jar to NULL.

(My previous comment here was wrong)

For COOKIEJAR, you can either set this to - or a filename, and for any filename it was simply overwrite the file, so that's bad.

If the aim is to enable cookies in the handle, but without writing to any file, then you should set COOKIEFILE to "" (empty string), which in the current implementation calls Curl_cookie_init to initialize cookies, but does not read or write any cookies.

IOW this change:

- curl.setopt(pycurl.COOKIEFILE, '/dev/null')
+ curl.setopt(pycurl.COOKIEFILE, '')
- curl.setopt(pycurl.COOKIEJAR, '/dev/null')
Comment 1 Martin Perina 2021-05-05 11:56:40 UTC 

*** This bug has been marked as a duplicate of bug 1956750 ***