github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

BF: fix infinite recursion case in Action.substituteRecursiveTags

pull/556/head
Daniel Black 2013-12-31 19:00:26 +11:00
parent 15d6de0664
commit e4a215ca50
2 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
fail2ban/server/action.py
View File

@ -276,19 +276,27 @@ class Action:
for tag, value in tags.iteritems(): for tag, value in tags.iteritems():
value = str(value) value = str(value)
m = t.search(value) m = t.search(value)
done = []
#logSys.log(5, 'TAG: %s, value: %s' % (tag, value))
while m: while m:
if m.group(1) == tag: found_tag = m.group(1)
#logSys.log(5, 'found: %s' % found_tag)
if found_tag == tag or found_tag in done:
# recursive definitions are bad # recursive definitions are bad
#logSys.log(5, 'recursion fail')
return False return False
else: else:
if tags.has_key(m.group(1)): if tags.has_key(found_tag):
value = value[0:m.start()] + tags[m.group(1)] + value[m.end():] value = value[0:m.start()] + tags[found_tag] + value[m.end():]
#logSys.log(5, 'value now: %s' % value)
done.append(found_tag)
m = t.search(value, m.start()) m = t.search(value, m.start())
else: else:
# Missing tags are ok so we just continue on searching. # Missing tags are ok so we just continue on searching.
# cInfo can contain aInfo elements like <HOST> and valid shell # cInfo can contain aInfo elements like <HOST> and valid shell
# constructs like <STDIN>. # constructs like <STDIN>.
m = t.search(value, m.start() + 1) m = t.search(value, m.start() + 1)
#logSys.log(5, 'TAG: %s, newvalue: %s' % (tag, value))
tags[tag] = value tags[tag] = value
return tags return tags
substituteRecursiveTags = staticmethod(substituteRecursiveTags) substituteRecursiveTags = staticmethod(substituteRecursiveTags)

3
fail2ban/tests/actiontestcase.py
View File

@ -58,6 +58,9 @@ class ExecuteAction(LogCaptureTestCase):
self.assertFalse(Action.substituteRecursiveTags({'A': '<A>'})) self.assertFalse(Action.substituteRecursiveTags({'A': '<A>'}))
self.assertFalse(Action.substituteRecursiveTags({'A': '<B>', 'B': '<A>'})) self.assertFalse(Action.substituteRecursiveTags({'A': '<B>', 'B': '<A>'}))
self.assertFalse(Action.substituteRecursiveTags({'A': '<B>', 'B': '<C>', 'C': '<A>'})) self.assertFalse(Action.substituteRecursiveTags({'A': '<B>', 'B': '<C>', 'C': '<A>'}))
# part recursion
self.assertFalse(Action.substituteRecursiveTags({'A': 'to=<B> fromip=<IP>', 'C': '<B>', 'B': '<C>', 'D': ''}))
self.assertFalse(Action.substituteRecursiveTags({'failregex': 'to=<honeypot> fromip=<IP>', 'sweet': '<honeypot>', 'honeypot': '<sweet>', 'ignoreregex': ''}))
# missing tags are ok # missing tags are ok
self.assertEqual(Action.substituteRecursiveTags({'A': '<C>'}), {'A': '<C>'}) self.assertEqual(Action.substituteRecursiveTags({'A': '<C>'}), {'A': '<C>'})
self.assertEqual(Action.substituteRecursiveTags({'A': '<C> <D> <X>','X':'fun'}), {'A': '<C> <D> fun', 'X':'fun'}) self.assertEqual(Action.substituteRecursiveTags({'A': '<C> <D> <X>','X':'fun'}), {'A': '<C> <D> fun', 'X':'fun'})