Bug 1953476 - overwrites /dev/null with pycurl cookie jar
Summary: overwrites /dev/null with pycurl cookie jar
Keywords:
Status: CLOSED DUPLICATE of bug 1956750
Alias: None
Product: ovirt-engine-sdk-python
Classification: oVirt
Component: General
Version: ---
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ovirt-4.4.7
: ---
Assignee: Ori Liel
QA Contact: Guilherme Santos
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-26 08:14 UTC by Ori Liel
Modified: 2021-05-05 11:56 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-05 11:56:40 UTC
oVirt Team: Infra
Embargoed:
pm-rhel: ovirt-4.4+

Attachments (Terms of Use)

Description Ori Liel 2021-04-26 08:14:04 UTC 
With recent PyCurl (at least in Fedora 34) /dev/null is overwritten if you use the SDK as root.

The reason is because of the following code:
ovirt-engine-sdk/sdk/lib/ovirtsdk4/__init__.py

Lines 392 to 394 in 1bb6c5e

 curl = pycurl.Curl() 
 curl.setopt(pycurl.COOKIEFILE, '/dev/null') 
 curl.setopt(pycurl.COOKIEJAR, '/dev/null') 
You can demonstrate this pretty easily with a tiny test program (NB be aware before running this that it will destroy your /dev/null and make your system unusable!)

$ cat curl.py
#!/usr/bin/python3

import pycurl

curl = pycurl.Curl()
curl.setopt(pycurl.COOKIEFILE, '/dev/null')
curl.setopt(pycurl.COOKIEJAR, '/dev/null')

$ sudo ./curl.py 

$ ll /dev/null 
-rw-r--r--. 1 root root 136 Mar 16 13:40 /dev/null
Downstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1939387#c6


nyoxi commented on Mar 16
I am wondering why this is needed in the first place, because it should be disabled by default: https://curl.se/libcurl/c/CURLOPT_COOKIEJAR.html
But I assume user can override it with environment variable maybe?

It looks like there is a bug in pycurl wrapper also, because you cannot "undefine" the value. Using None or 0 does not seem to work and produces errors:

...
Traceback (most recent call last):
  File "/tmp/tmp.6pLX6iXQx8/curl.py", line 7, in <module>
    curl.setopt(pycurl.COOKIEFILE, None)
TypeError: unsetopt() is not supported for this option
...
Traceback (most recent call last):
  File "/tmp/tmp.6pLX6iXQx8/curl.py", line 7, in <module>
    curl.setopt(pycurl.COOKIEFILE, 0)
TypeError: integers are not supported for this option
 

rwmjones commented on Mar 16 • 
I checked with the C API and it does allow you to set the cookie jar to NULL.

(My previous comment here was wrong)

For COOKIEJAR, you can either set this to - or a filename, and for any filename it was simply overwrite the file, so that's bad.

If the aim is to enable cookies in the handle, but without writing to any file, then you should set COOKIEFILE to "" (empty string), which in the current implementation calls Curl_cookie_init to initialize cookies, but does not read or write any cookies.

IOW this change:

- curl.setopt(pycurl.COOKIEFILE, '/dev/null')
+ curl.setopt(pycurl.COOKIEFILE, '')
- curl.setopt(pycurl.COOKIEJAR, '/dev/null')
Comment 1 Martin Perina 2021-05-05 11:56:40 UTC 

*** This bug has been marked as a duplicate of bug 1956750 ***
Note You need to log in before you can comment on or make changes to this bug.