[Bug 556] New: Deployment component doesn't warn in case of malicious statement

Submitted by klaas on Fri, 2008-05-23 12:00

For more infomation about this bug, visit
Summary: Deployment component doesn't warn in case of malicious
statement
Product: OCL
Version: 1.4.1
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Deployment
AssignedTo: orocos-dev [..] ...
ReportedBy: klaas [dot] gadeyne [..] ...
CC: orocos-dev [..] ...
Estimated Hours: 0.0

[Note] This "bug" is inspired by bug #555, in which the AutoConnect
functionality, which is described in the documentation, but was not yet
implemented in the 1.4 series, didn't cause a warning when its property is
parsed by the deployer.

To reproduce: Add any syntactically valid cpf statement to your deployers
config file, eg.

[kgad@ampere ~/SVN/mbsd_gco/soft/trunk/tool_evaluation/orocos/app]$
diff deployment.cpf~ deployment.cpf
33a34
> Peter is a naughty boy

You will notice that the deployer simply ignores this statement instead of
warning you that it has encountered something wrong/meaningless.

This one could save the user a lot of debugging time.

‹ [Bug 567] New: Does not compile with TAO 1.6 ocl for Stäubli ›
»

[Bug 556] Deployment component doesn't warn in case of malicious

Submitted by sspr on Wed, 2008-06-11 20:50.

For more infomation about this bug, visit

Peter Soetens
<peter [dot] soetens [..] ...> changed:

What |Removed |Added
--------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
CC| |peter [dot] soetens [..] ...
Target Milestone|--- |1.6.0

--- Comment #1 from Peter Soetens
<peter [dot] soetens [..] ...> 2008-06-11 22:40:01 ---
Fixed on trunk/ocl. If you see wrong files still passing, please open a new bug
report.

$ svn di deployment
Index: deployment/DeploymentComponent.cpp
===================================================================
--- deployment/DeploymentComponent.cpp (revision 29305)
+++ deployment/DeploymentComponent.cpp (working copy)
@@ -13,6 +13,7 @@
#include
#include
#include
+#include

using namespace Orocos;

@@ -23,6 +24,11 @@

std::vector
> DeploymentComponent::LoadedLibs;

+ /**
+ * I'm using a set to speed up lookups.
+ */
+ static std::set valid_names;
+
#define ORO_str(s) ORO__str(s)
#define ORO__str(s) #s

@@ -151,6 +157,21 @@

this->configure();
+
+ valid_names.insert("AutoUnload");
+ valid_names.insert("UseNamingService");
+ valid_names.insert("Server");
+ valid_names.insert("AutoConf");
+ valid_names.insert("AutoStart");
+ valid_names.insert("AutoConnect");
+ valid_names.insert("PropertyFile");
+ valid_names.insert("UpdateProperties");
+ valid_names.insert("ProgramScript");
+ valid_names.insert("StateMachineScript");
+ valid_names.insert("Ports");
+ valid_names.insert("Peers");
+ valid_names.insert("Activity");
+
}

bool DeploymentComponent::configureHook()
@@ -389,12 +410,17 @@
// Check if it is a propertybag.
Property comp = *it;
if ( !comp.ready() ) {
- log(Error)<< "Property '"<< *it <<"' is not a
PropertyBag." << endlog();
+ log(Error)<< "Property '"<< *it <<"' is should be
a struct, Include or Import statement." << endlog();
valid = false;
continue;
}
// Parse the options before creating the component:
for (PropertyBag::const_iterator optit=
comp.rvalue().begin(); optit != comp.rvalue().end();optit++) {
+ if ( valid_names.find( (*optit)->getName() ) ==
valid_names.end() ) {
+ log(Error) << "Unknown type syntax: '"<<
(*optit)->getName() << "' in component struct "<< comp.getName() < + valid = false;
+ continue;
+ }
if ( (*optit)->getName() == "AutoConnect" ) {
Property ps =
comp.rvalue().getProperty("AutoConnect");
if (!ps.ready()) {
+ sspr@lt00129:~/src/Orocos/ocl-hotfix
$ svn ci deployment -m"Check the syntax of the component struct in xml files
for unknown types."
Sending deployment/DeploymentComponent.cpp
Transmitting file data .
Committed revision 29388.

»