The directory /opt/www/bruyninckxh2/web/tmp/drutex-98ccc5c9ac737f93fdffb74d1d779640-1 has been created.

[Bug 556] New: Deployment component doesn't warn in case of malicious statement

For more infomation about this bug, visit
Summary: Deployment component doesn't warn in case of malicious
statement
Product: OCL
Version: 1.4.1
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Deployment
AssignedTo: orocos-dev [..] ...
ReportedBy: klaas [dot] gadeyne [..] ...
CC: orocos-dev [..] ...
Estimated Hours: 0.0

[Note] This "bug" is inspired by bug #555, in which the AutoConnect
functionality, which is described in the documentation, but was not yet
implemented in the 1.4 series, didn't cause a warning when its property is
parsed by the deployer.

To reproduce: Add any syntactically valid cpf statement to your deployers
config file, eg.

[kgad@ampere ~/SVN/mbsd_gco/soft/trunk/tool_evaluation/orocos/app]$
diff deployment.cpf~ deployment.cpf
33a34
> Peter is a naughty boy

You will notice that the deployer simply ignores this statement instead of
warning you that it has encountered something wrong/meaningless.

This one could save the user a lot of debugging time.

[Bug 556] Deployment component doesn't warn in case of malicious

For more infomation about this bug, visit

Peter Soetens

<peter [dot] soetens [..] ...> changed:

What |Removed |Added
--------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
CC| |peter [dot] soetens [..] ...
Target Milestone|--- |1.6.0

--- Comment #1 from Peter Soetens

<peter [dot] soetens [..] ...> 2008-06-11 22:40:01 ---
Fixed on trunk/ocl. If you see wrong files still passing, please open a new bug
report.

$ svn di deployment
Index: deployment/DeploymentComponent.cpp
===================================================================
--- deployment/DeploymentComponent.cpp (revision 29305)
+++ deployment/DeploymentComponent.cpp (working copy)
@@ -13,6 +13,7 @@
#include
#include
#include
+#include

using namespace Orocos;

@@ -23,6 +24,11 @@

std::vector

> DeploymentComponent::LoadedLibs;

+ /**
+ * I'm using a set to speed up lookups.
+ */
+ static std::set valid_names;
+
#define ORO_str(s) ORO__str(s)
#define ORO__str(s) #s

@@ -151,6 +157,21 @@

this->configure();
+
+ valid_names.insert(\"AutoUnload\");
+ valid_names.insert(\"UseNamingService\");
+ valid_names.insert(\"Server\");
+ valid_names.insert(\"AutoConf\");
+ valid_names.insert(\"AutoStart\");
+ valid_names.insert(\"AutoConnect\");
+ valid_names.insert(\"PropertyFile\");
+ valid_names.insert(\"UpdateProperties\");
+ valid_names.insert(\"ProgramScript\");
+ valid_names.insert(\"StateMachineScript\");
+ valid_names.insert(\"Ports\");
+ valid_names.insert(\"Peers\");
+ valid_names.insert(\"Activity\");
+
}

bool DeploymentComponent::configureHook()
@@ -389,12 +410,17 @@
// Check if it is a propertybag.
Property comp = *it;
if ( !comp.ready() ) {
- log(Error)<< \"Property '\"<< *it <<\"' is not a
PropertyBag.\" << endlog();
+ log(Error)<< \"Property '\"<< *it <<\"' is should be
a struct, Include or Import statement.\" << endlog();
valid = false;
continue;
}
// Parse the options before creating the component:
for (PropertyBag::const_iterator optit=
comp.rvalue().begin(); optit != comp.rvalue().end();optit++) {
+ if ( valid_names.find( (*optit)->getName() ) ==
valid_names.end() ) {
+ log(Error) << \"Unknown type syntax: '\"<<
(*optit)->getName() << \"' in component struct \"<< comp.getName() < + valid = false;
+ continue;
+ }
if ( (*optit)->getName() == \"AutoConnect\" ) {
Property ps =
comp.rvalue().getProperty(\"AutoConnect\");
if (!ps.ready()) {
+ sspr@lt00129:~/src/Orocos/ocl-hotfix
$ svn ci deployment -m"Check the syntax of the component struct in xml files
for unknown types."
Sending deployment/DeploymentComponent.cpp
Transmitting file data .
Committed revision 29388.