Bug 1094541 - API should prevent NULL's in user environment variables
Summary: API should prevent NULL's in user environment variables
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Online
Classification: Red Hat
Component: Master
Version: 2.x
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Lili Nader
QA Contact: libra bugs
URL:
Whiteboard: related #1093197
Depends On:
Blocks: 1096833
TreeView+ depends on / blocked
 
Reported: 2014-05-06 00:13 UTC by Jhon Honce
Modified: 2015-05-15 00:56 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-15 10:28:48 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jhon Honce 2014-05-06 00:13:49 UTC 
Description of problem:
It is possible to create an environment variable with a null value. Both Ruby and Python reject environment variables with embedded nulls when spawning a process.

Version-Release number of selected component (if applicable):


How reproducible:
Use API to create environment variable with embedded null

Steps to Reproduce:
1.
2.
3.

Actual results:
oo-trap-user or oo-su fail to allow user to log in. 

Expected results:
API should reject attempts to set these environment variables

Additional info:
Comment 1 Abhishek Gupta 2014-05-06 00:18:10 UTC 
An example of an env var value with an embedded null is --> TEST\000TEST
Comment 3 Lili Nader 2014-05-07 00:49:32 UTC 
https://github.com/openshift/origin-server/pull/5384
Comment 4 openshift-github-bot 2014-05-07 08:50:50 UTC 
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/4e55d6763e7f16b4036d80c3e35ca2c557e09de4
Bug 1094541 - check for null values
Comment 5 zhaozhanqi 2014-05-08 05:26:59 UTC 
Verified this bug on devenv_4775

--set value to \\000 via rhc

1) # rhc app create app1 diy  --no-git -e foo=\\000
Using diy-0.1 (Do-It-Yourself 0.1) for 'diy'

Application Options
-------------------
Domain:                zqd
Cartridges:            diy-0.1
Gear Size:             default
Scaling:               no
Environment Variables: foo=\000

Creating application 'app1' ... Value cannot contain null characters.

2) rhc env-set -a php1 foo=\\000
Setting environment variable(s) ... Value cannot contain null characters.


--Set value to \\000 via restapi

1)curl -k -H 'Accept: application/xml' --user $user:pass https://localhost/broker/rest/domains/zqd/applications/php1/environment_variables -d 'environment_variables[][name]=foo' -d 'environment_variables[][value]=\\00000' -X POST


Value cannot contain null characters.</text>
      <exit-code>190</exit-code>

2) update a value to \\000
curl -k -H 'Accept: application/xml' --user zzhao:redhat https://localhost/broker/rest/application/536b4075798389700c00001e/environment-variable/foo -d value=\\000 -X PUT

  <severity>error</severity>
      <text>Value cannot contain null characters.</text>
      <exit-code>190</exit-code>

3) create app with env value equals \\000

curl -k -s -H "Content-Type: application/json" -u $user:pass https://localhost/broker/rest/domains/zqd/applications -X POST -d '{"name":"app2","cartridge":{"url":"https://raw.github.com/zhaozhanqi/phpv2/master/metadata/manifest.yml"},"environment_variables":[{"name":"FOO", "value":"\\000"}]}' |python -m json.tool


"messages": [
        {
            "exit_code": 190, 
            "field": "environment_variables", 
            "index": null, 
            "severity": "error", 
            "text": "Value cannot contain null characters."
        }
    ],
Note You need to log in before you can comment on or make changes to this bug.