Commit 3bad9401 authored by Ximin Luo's avatar Ximin Luo Committed by Arturo Filastò
Browse files

13581: Avoid hacking sys.path in bin/* scripts as that is a security risk. 

We want to run these scripts with extra capabilities, using setcap. However, if
the end user can set PYTHONPATH, then they can feed arbitrary code into these
scripts and give extra capabilities to that code, which we should not allow.

Includes a ooniprobe-dev wrapper shell script to make things easier for
developers running directly from the repository. The important thing is that
this script is developer-only and *not* installed on end users' machines.
parent e358243b

bin/oonideckgen

+0 −5
Original line number Diff line number Diff line 
#!/usr/bin/env python

import os

import sys

import exceptions



sys.path[:] = map(os.path.abspath, sys.path)

sys.path.insert(0, os.path.abspath(os.getcwd()))



from twisted.internet import defer, reactor



from ooni.utils import log

bin/ooniprobe

+0 −5
Original line number Diff line number Diff line 
#!/usr/bin/env python

import os, sys

import copy_reg

from twisted.internet import reactor



# Hack to set the proper sys.path. Overcomes the export PYTHONPATH pain.

sys.path[:] = map(os.path.abspath, sys.path)

sys.path.insert(0, os.path.abspath(os.getcwd()))



# This is a hack to overcome a bug in python

from ooni.utils.hacks import patched_reduce_ex

copy_reg._reduce_ex = patched_reduce_ex

bin/oonireport

+0 −7
Original line number Diff line number Diff line 
#!/usr/bin/env python

import os

import sys

import exceptions



sys.path[:] = map(os.path.abspath, sys.path)

sys.path.insert(0, os.path.abspath(os.getcwd()))



from twisted.internet import defer, reactor



from ooni.utils import log

bin/ooniresources

+0 −6
Original line number Diff line number Diff line 
#!/usr/bin/env python

import os

import sys



sys.path[:] = map(os.path.abspath, sys.path)

sys.path.insert(0, os.path.abspath(os.getcwd()))



from twisted.internet import defer, reactor



from ooni.utils import log

data/inputs/README

+6 −6
Original line number Diff line number Diff line
@@ -3,38 +3,38 @@ the correct functionality of the various OONIProbe tests. 


# DNS Consistency



./bin/ooniprobe -o dns_tamper_test.yamloo data/nettests/blocking/dns_consistency.py -t

./ooniprobe-dev -o dns_tamper_test.yamloo data/nettests/blocking/dns_consistency.py -t

example_inputs/dns_tamper_test_resolvers.txt -f example_inputs/dns_tamper_file.txt



less dns_tamper_test.yamloo



# Captive Portal



./bin/ooniprobe -o captive_portal_test.yamloo data/nettests/core/captiveportal.py

./ooniprobe-dev -o captive_portal_test.yamloo data/nettests/core/captiveportal.py



less captive_portal_test.yamloo



# HTTP Host



./bin/ooniprobe -o http_host.yamloo data/nettests/manipulation/http_host.py -b http://ooni.nu/test -f example_inputs/http_host_file.txt

./ooniprobe-dev -o http_host.yamloo data/nettests/manipulation/http_host.py -b http://ooni.nu/test -f example_inputs/http_host_file.txt



less http_host.yamloo



# Keyword filtering



./bin/ooniprobe -o keyword_filtering.yamloo data/nettests/core/keyword_filtering.py -b http://ooni.nu/test/ -f test_inputs/keyword_filtering_file.txt

./ooniprobe-dev -o keyword_filtering.yamloo data/nettests/core/keyword_filtering.py -b http://ooni.nu/test/ -f test_inputs/keyword_filtering_file.txt



less keyword_filtering.yamloo



# URL List



./bin/ooniprobe -o url_lists.yamloo data/nettests/core/url_list.py -f test_inputs/url_lists_file.txt

./ooniprobe-dev -o url_lists.yamloo data/nettests/core/url_list.py -f test_inputs/url_lists_file.txt



less url_lists.yamloo



# Squid transparent proxy



./bin/ooniprobe -o squid.yamloo data/nettests/core/squid.py

./ooniprobe-dev -o squid.yamloo data/nettests/core/squid.py



less squid.yamloo