From 892efc393ddac81a4682dd40199c5601897b1373 Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Wed, 13 Jan 2010 16:13:29 +0000 Subject: [PATCH] 2010-01-13 17:12 UTC+0100 Viktor Szakats (harbour.01 syenar.hu) * src/rtl/Makefile + src/rtl/strclear.c * include/hbextern.ch + Added HB_STRCLEAR() function to safely clear the content of a string variable. Notice that this method by itself can only work if the string variable has no other references, and generally you have to code carefully to avoid creating unwanted copies of the string when passing it around in an app. So this is no silver bullet, but rather just one component to solve this problem. * contrib/hbnetio/utils/netiosrv.prg + Added steps to avoid having the password stored in memory, while the server is running. * src/rtl/philes.c % Minor cleanup. --- harbour/ChangeLog | 20 ++++++ harbour/contrib/hbnetio/utils/netiosrv.prg | 12 +++- harbour/include/hbextern.ch | 1 + harbour/src/rtl/Makefile | 1 + harbour/src/rtl/philes.c | 6 +- harbour/src/rtl/strclear.c | 75 ++++++++++++++++++++++ 6 files changed, 110 insertions(+), 5 deletions(-) create mode 100644 harbour/src/rtl/strclear.c diff --git a/harbour/ChangeLog b/harbour/ChangeLog index 6a53020506..16b477e749 100644 --- a/harbour/ChangeLog +++ b/harbour/ChangeLog @@ -17,6 +17,26 @@ past entries belonging to author(s): Viktor Szakats. */ +2010-01-13 17:12 UTC+0100 Viktor Szakats (harbour.01 syenar.hu) + * src/rtl/Makefile + + src/rtl/strclear.c + * include/hbextern.ch + + Added HB_STRCLEAR() function to safely clear the content + of a string variable. + Notice that this method by itself can only work if the + string variable has no other references, and generally + you have to code carefully to avoid creating unwanted + copies of the string when passing it around in an app. + So this is no silver bullet, but rather just one component + to solve this problem. + + * contrib/hbnetio/utils/netiosrv.prg + + Added steps to avoid having the password stored in memory, + while the server is running. + + * src/rtl/philes.c + % Minor cleanup. + 2010-01-13 15:45 UTC+0100 Viktor Szakats (harbour.01 syenar.hu) * contrib/hbnetio/utils/netiosrv.prg + Internal change moving all server object related variables to diff --git a/harbour/contrib/hbnetio/utils/netiosrv.prg b/harbour/contrib/hbnetio/utils/netiosrv.prg index c644dc6cb0..3a55e389eb 100644 --- a/harbour/contrib/hbnetio/utils/netiosrv.prg +++ b/harbour/contrib/hbnetio/utils/netiosrv.prg @@ -52,6 +52,8 @@ PROCEDURE Main( ... ) LOCAL cCommand LOCAL cPassword + LOCAL aParam + HB_Logo() netiosrv[ _NETIOSRV_nPort ] := 2941 @@ -60,7 +62,9 @@ PROCEDURE Main( ... ) netiosrv[ _NETIOSRV_lRPC ] := .F. netiosrv[ _NETIOSRV_lEncryption ] := .F. - FOR EACH cParam IN hb_AParams() + aParam := hb_AParams() + + FOR EACH cParam IN aParam DO CASE CASE Lower( Left( cParam, 6 ) ) == "-port=" netiosrv[ _NETIOSRV_nPort ] := Val( SubStr( cParam, 7 ) ) @@ -70,6 +74,8 @@ PROCEDURE Main( ... ) netiosrv[ _NETIOSRV_cRootDir ] := SubStr( cParam, 10 ) CASE Lower( Left( cParam, 6 ) ) == "-pass=" cPassword := SubStr( cParam, 7 ) + hb_StrClear( @cParam ) + hb_StrClear( @aParam[ cParam:__enumIndex() ] ) CASE Lower( Left( cParam, 5 ) ) == "-rpc=" netiosrv[ _NETIOSRV_cRPCFFileName ] := SubStr( cParam, 6 ) netiosrv[ _NETIOSRV_cRPCFHRB ] := hb_hrbLoad( netiosrv[ _NETIOSRV_cRPCFFileName ] ) @@ -97,10 +103,10 @@ PROCEDURE Main( ... ) netiosrv[ _NETIOSRV_cIFAddr ],; netiosrv[ _NETIOSRV_cRootDir ],; iif( Empty( netiosrv[ _NETIOSRV_cRPCFHRB ] ), netiosrv[ _NETIOSRV_lRPC ], hb_hrbGetFunSym( netiosrv[ _NETIOSRV_cRPCFHRB ], _RPC_FILTER ) ),; - cPassword ) + @cPassword ) netiosrv[ _NETIOSRV_lEncryption ] := ! Empty( cPassword ) - cPassword := NIL /* Attempt to clear plain text pw from memory */ + hb_StrClear( @cPassword ) /* Attempt to clear plain text pw from memory */ IF Empty( netiosrv[ _NETIOSRV_pListenSocket ] ) OutStd( "Cannot start server." + hb_osNewLine() ) diff --git a/harbour/include/hbextern.ch b/harbour/include/hbextern.ch index 97f9a54d83..650df1437f 100644 --- a/harbour/include/hbextern.ch +++ b/harbour/include/hbextern.ch @@ -931,6 +931,7 @@ EXTERNAL HB_STRTOHEX EXTERNAL HB_STRDECODESCAPE EXTERNAL HB_STRCDECODE EXTERNAL HB_STRXOR +EXTERNAL HB_STRCLEAR EXTERNAL HB_ISPRINTER EXTERNAL HB_GETENV EXTERNAL HB_SETENV diff --git a/harbour/src/rtl/Makefile b/harbour/src/rtl/Makefile index 765bebfc0d..ce227bf0fd 100644 --- a/harbour/src/rtl/Makefile +++ b/harbour/src/rtl/Makefile @@ -163,6 +163,7 @@ C_SOURCES := \ str.c \ strc.c \ strcase.c \ + strclear.c \ strmatch.c \ strpeek.c \ strtoexp.c \ diff --git a/harbour/src/rtl/philes.c b/harbour/src/rtl/philes.c index c2eb1de7f5..bf806bd822 100644 --- a/harbour/src/rtl/philes.c +++ b/harbour/src/rtl/philes.c @@ -113,11 +113,13 @@ HB_FUNC( FREAD ) { PHB_ITEM pBuffer = hb_param( 2, HB_IT_STRING ); HB_ERRCODE uiError = 0; - ULONG ulRead = 0, ulSize; - char * buffer; + ULONG ulRead = 0; if( HB_ISNUM( 1 ) && pBuffer && HB_ISBYREF( 2 ) && HB_ISNUM( 3 ) ) { + char * buffer; + ULONG ulSize; + ulRead = hb_parnl( 3 ); /* NOTE: CA-Cl*pper determines the maximum size by calling _parcsiz() diff --git a/harbour/src/rtl/strclear.c b/harbour/src/rtl/strclear.c new file mode 100644 index 0000000000..0edc744977 --- /dev/null +++ b/harbour/src/rtl/strclear.c @@ -0,0 +1,75 @@ +/* + * $Id$ + */ + +/* + * Harbour Project source code: + * HB_STRCLEAR() function + * + * Copyright 2010 Viktor Szakats (harbour.01 syenar.hu) + * www - http://www.harbour-project.org + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this software; see the file COPYING. If not, write to + * the Free Software Foundation, Inc., 59 Temple Place, Suite 330, + * Boston, MA 02111-1307 USA (or visit the web site http://www.gnu.org/). + * + * As a special exception, the Harbour Project gives permission for + * additional uses of the text contained in its release of Harbour. + * + * The exception is that, if you link the Harbour libraries with other + * files to produce an executable, this does not by itself cause the + * resulting executable to be covered by the GNU General Public License. + * Your use of that executable is in no way restricted on account of + * linking the Harbour library code into it. + * + * This exception does not however invalidate any other reasons why + * the executable file might be covered by the GNU General Public License. + * + * This exception applies only to the code released by the Harbour + * Project under the name Harbour. If you copy code from other + * Harbour Project or Free Software Foundation releases into a copy of + * Harbour, as the General Public License permits, the exception does + * not apply to the code that you add in this way. To avoid misleading + * anyone as to the status of such modified files, you must delete + * this exception notice from them. + * + * If you write modifications of your own for Harbour, it is your choice + * whether to permit this exception to apply to your modifications. + * If you do not wish that, delete this exception notice. + * + */ + +#include "hbapi.h" +#include "hbapiitm.h" + +HB_FUNC( HB_STRCLEAR ) +{ + PHB_ITEM pBuffer = hb_param( 1, HB_IT_STRING ); + + /* NOTE: clear RETURN value before calling hb_itemGetWriteCL(), + it's possible that it contains copy of passed item [druzus] */ + hb_retl( HB_FALSE ); + + if( pBuffer && HB_ISBYREF( 1 ) ) + { + char * buffer; + HB_SIZE nSize; + + if( hb_itemGetWriteCL( pBuffer, &buffer, &nSize ) ) + { + memset( buffer, '\0', nSize + 1 ); + hb_retl( HB_TRUE ); + } + } +}