2010-01-13 17:12 UTC+0100 Viktor Szakats (harbour.01 syenar.hu)

* src/rtl/Makefile
  + src/rtl/strclear.c
  * include/hbextern.ch
    + Added HB_STRCLEAR() function to safely clear the content 
      of a string variable.
      Notice that this method by itself can only work if the 
      string variable has no other references, and generally 
      you have to code carefully to avoid creating unwanted 
      copies of the string when passing it around in an app.
      So this is no silver bullet, but rather just one component 
      to solve this problem.

  * contrib/hbnetio/utils/netiosrv.prg
    + Added steps to avoid having the password stored in memory, 
      while the server is running.

  * src/rtl/philes.c
    % Minor cleanup.

harbour/ChangeLog

@@ -17,6 +17,26 @@
    past entries belonging to author(s): Viktor Szakats.
 */
 
+2010-01-13 17:12 UTC+0100 Viktor Szakats (harbour.01 syenar.hu)
+  * src/rtl/Makefile
+  + src/rtl/strclear.c
+  * include/hbextern.ch
+    + Added HB_STRCLEAR() function to safely clear the content
+      of a string variable.
+      Notice that this method by itself can only work if the
+      string variable has no other references, and generally
+      you have to code carefully to avoid creating unwanted
+      copies of the string when passing it around in an app.
+      So this is no silver bullet, but rather just one component
+      to solve this problem.
+
+  * contrib/hbnetio/utils/netiosrv.prg
+    + Added steps to avoid having the password stored in memory,
+      while the server is running.
+
+  * src/rtl/philes.c
+    % Minor cleanup.
+
 2010-01-13 15:45 UTC+0100 Viktor Szakats (harbour.01 syenar.hu)
   * contrib/hbnetio/utils/netiosrv.prg
     + Internal change moving all server object related variables to

harbour/contrib/hbnetio/utils/netiosrv.prg

@@ -52,6 +52,8 @@ PROCEDURE Main( ... )
    LOCAL cCommand
    LOCAL cPassword
 
+   LOCAL aParam
+
    HB_Logo()
 
    netiosrv[ _NETIOSRV_nPort ]         := 2941
@@ -60,7 +62,9 @@ PROCEDURE Main( ... )
    netiosrv[ _NETIOSRV_lRPC ]          := .F.
    netiosrv[ _NETIOSRV_lEncryption ]   := .F.
 
-   FOR EACH cParam IN hb_AParams()
+   aParam := hb_AParams()
+
+   FOR EACH cParam IN aParam
       DO CASE
       CASE Lower( Left( cParam, 6 ) ) == "-port="
          netiosrv[ _NETIOSRV_nPort ] := Val( SubStr( cParam, 7 ) )
@@ -70,6 +74,8 @@ PROCEDURE Main( ... )
          netiosrv[ _NETIOSRV_cRootDir ] := SubStr( cParam, 10 )
       CASE Lower( Left( cParam, 6 ) ) == "-pass="
          cPassword := SubStr( cParam, 7 )
+         hb_StrClear( @cParam )
+         hb_StrClear( @aParam[ cParam:__enumIndex() ] )
       CASE Lower( Left( cParam, 5 ) ) == "-rpc="
          netiosrv[ _NETIOSRV_cRPCFFileName ] := SubStr( cParam, 6 )
          netiosrv[ _NETIOSRV_cRPCFHRB ] := hb_hrbLoad( netiosrv[ _NETIOSRV_cRPCFFileName ] )
@@ -97,10 +103,10 @@ PROCEDURE Main( ... )
                                           netiosrv[ _NETIOSRV_cIFAddr ],;
                                           netiosrv[ _NETIOSRV_cRootDir ],;
                                           iif( Empty( netiosrv[ _NETIOSRV_cRPCFHRB ] ), netiosrv[ _NETIOSRV_lRPC ], hb_hrbGetFunSym( netiosrv[ _NETIOSRV_cRPCFHRB ], _RPC_FILTER ) ),;
-                                          cPassword )
+                                          @cPassword )
 
    netiosrv[ _NETIOSRV_lEncryption ] := ! Empty( cPassword )
-   cPassword := NIL /* Attempt to clear plain text pw from memory */
+   hb_StrClear( @cPassword ) /* Attempt to clear plain text pw from memory */
 
    IF Empty( netiosrv[ _NETIOSRV_pListenSocket ] )
       OutStd( "Cannot start server." + hb_osNewLine() )

harbour/include/hbextern.ch

@@ -931,6 +931,7 @@ EXTERNAL HB_STRTOHEX
 EXTERNAL HB_STRDECODESCAPE
 EXTERNAL HB_STRCDECODE
 EXTERNAL HB_STRXOR
+EXTERNAL HB_STRCLEAR
 EXTERNAL HB_ISPRINTER
 EXTERNAL HB_GETENV
 EXTERNAL HB_SETENV

harbour/src/rtl/Makefile

@@ -163,6 +163,7 @@ C_SOURCES := \
    str.c \
    strc.c \
    strcase.c \
+   strclear.c \
    strmatch.c \
    strpeek.c \
    strtoexp.c \

harbour/src/rtl/philes.c

@@ -113,11 +113,13 @@ HB_FUNC( FREAD )
 {
    PHB_ITEM pBuffer = hb_param( 2, HB_IT_STRING );
    HB_ERRCODE uiError = 0;
-   ULONG ulRead = 0, ulSize;
-   char * buffer;
+   ULONG ulRead = 0;
 
    if( HB_ISNUM( 1 ) && pBuffer && HB_ISBYREF( 2 ) && HB_ISNUM( 3 ) )
    {
+      char * buffer;
+      ULONG ulSize;
+
       ulRead = hb_parnl( 3 );
 
       /* NOTE: CA-Cl*pper determines the maximum size by calling _parcsiz()

harbour/src/rtl/strclear.c

@@ -0,0 +1,75 @@
+/*
+ * $Id$
+ */
+
+/*
+ * Harbour Project source code:
+ * HB_STRCLEAR() function
+ *
+ * Copyright 2010 Viktor Szakats (harbour.01 syenar.hu)
+ * www - http://www.harbour-project.org
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this software; see the file COPYING.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place, Suite 330,
+ * Boston, MA 02111-1307 USA (or visit the web site http://www.gnu.org/).
+ *
+ * As a special exception, the Harbour Project gives permission for
+ * additional uses of the text contained in its release of Harbour.
+ *
+ * The exception is that, if you link the Harbour libraries with other
+ * files to produce an executable, this does not by itself cause the
+ * resulting executable to be covered by the GNU General Public License.
+ * Your use of that executable is in no way restricted on account of
+ * linking the Harbour library code into it.
+ *
+ * This exception does not however invalidate any other reasons why
+ * the executable file might be covered by the GNU General Public License.
+ *
+ * This exception applies only to the code released by the Harbour
+ * Project under the name Harbour.  If you copy code from other
+ * Harbour Project or Free Software Foundation releases into a copy of
+ * Harbour, as the General Public License permits, the exception does
+ * not apply to the code that you add in this way.  To avoid misleading
+ * anyone as to the status of such modified files, you must delete
+ * this exception notice from them.
+ *
+ * If you write modifications of your own for Harbour, it is your choice
+ * whether to permit this exception to apply to your modifications.
+ * If you do not wish that, delete this exception notice.
+ *
+ */
+
+#include "hbapi.h"
+#include "hbapiitm.h"
+
+HB_FUNC( HB_STRCLEAR )
+{
+   PHB_ITEM pBuffer = hb_param( 1, HB_IT_STRING );
+
+   /* NOTE: clear RETURN value before calling hb_itemGetWriteCL(),
+            it's possible that it contains copy of passed item [druzus] */
+   hb_retl( HB_FALSE );
+
+   if( pBuffer && HB_ISBYREF( 1 ) )
+   {
+      char * buffer;
+      HB_SIZE nSize;
+
+      if( hb_itemGetWriteCL( pBuffer, &buffer, &nSize ) )
+      {
+         memset( buffer, '\0', nSize + 1 );
+         hb_retl( HB_TRUE );
+      }
+   }
+}