summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLuca Boccassi <bluca@debian.org>2023-12-22 01:57:39 +0100
committerLuca Boccassi <bluca@debian.org>2024-01-03 11:54:48 +0100
commit2e3414660cb0c6a024661638d0b237d88b5a7cbc (patch)
tree1b8b87e6d767c0379940afa6ee8e1705dceadb1e /src
parentjson: add JSON_FORMAT_REFUSE_SENSITIVE to json_variant_format() (diff)
downloadsystemd-2e3414660cb0c6a024661638d0b237d88b5a7cbc.tar.xz
systemd-2e3414660cb0c6a024661638d0b237d88b5a7cbc.zip
varlink: avoid logging content of message if it contains sensitive data
This is important now that creds are sent via varlink systemd-creds[463]: varlink-3: Sending message: {"parameters":{"data":"Zm9vYmFyCg=="}} systemd-creds[462]: varlink-3: New incoming message: {"method":"io.systemd.Credentials.Encrypt","parameters":{"data":"Zm9vYmFyCg=="}}
Diffstat (limited to 'src')
-rw-r--r--src/shared/varlink.c15
1 files changed, 8 insertions, 7 deletions
diff --git a/src/shared/varlink.c b/src/shared/varlink.c
index b6dc0d8590..2b40c7f3bd 100644
--- a/src/shared/varlink.c
+++ b/src/shared/varlink.c
@@ -961,10 +961,6 @@ static int varlink_parse_message(Varlink *v) {
sz = e - begin + 1;
- varlink_log(v, "New incoming message: %s", begin); /* FIXME: should we output the whole message here before validation?
- * This may produce a non-printable journal entry if the message
- * is invalid. We may also expose privileged information. */
-
r = json_parse(begin, 0, &v->current, NULL, NULL);
if (r < 0) {
/* If we encounter a parse failure flush all data. We cannot possibly recover from this,
@@ -1768,12 +1764,17 @@ Varlink* varlink_flush_close_unref(Varlink *v) {
static int varlink_format_json(Varlink *v, JsonVariant *m) {
_cleanup_(erase_and_freep) char *text = NULL;
+ bool sensitive = false;
int r;
assert(v);
assert(m);
- r = json_variant_format(m, 0, &text);
+ r = json_variant_format(m, JSON_FORMAT_REFUSE_SENSITIVE, &text);
+ if (r == -EPERM) {
+ sensitive = true;
+ r = json_variant_format(m, /* flags= */ 0, &text);
+ }
if (r < 0)
return r;
assert(text[r] == '\0');
@@ -1781,7 +1782,7 @@ static int varlink_format_json(Varlink *v, JsonVariant *m) {
if (v->output_buffer_size + r + 1 > VARLINK_BUFFER_MAX)
return -ENOBUFS;
- varlink_log(v, "Sending message: %s", text);
+ varlink_log(v, "Sending message: %s", sensitive ? "<sensitive data>" : text);
if (v->output_buffer_size == 0) {
@@ -1812,7 +1813,7 @@ static int varlink_format_json(Varlink *v, JsonVariant *m) {
v->output_buffer_index = 0;
}
- if (json_variant_is_sensitive(m))
+ if (sensitive)
v->output_buffer_sensitive = true; /* Propagate sensitive flag */
else
text = mfree(text); /* No point in the erase_and_free() destructor declared above */