Skip to content

CDRIVER-5511 disable loading Cyrus plugins on Windows by default #1561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Mar 22, 2024
Merged

CDRIVER-5511 disable loading Cyrus plugins on Windows by default #1561

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
40048bd
CDRIVER-5511 disable loading Cyrus plugins on Windows by default
kevinAlbs Mar 14, 2024
69a0085
Fix `VISIBLE_IF`
kevinAlbs Mar 22, 2024
d88a43a
Clarify path is "absolute" in `CYRUS_PLUGIN_PREFIX_PATH`
kevinAlbs Mar 22, 2024
4e4fd59
change NEWS section to "Cyrus SASL"
kevinAlbs Mar 22, 2024
c98714c
consistently refer to "Cyrus SASL"
kevinAlbs Mar 22, 2024
8b7e1b5
add documentation note
kevinAlbs Mar 22, 2024
ff2f6cb
tweak warning message
kevinAlbs Mar 22, 2024
c436cec
use NULL to denote unset
kevinAlbs Mar 22, 2024
4b09320
clarify in docs plugin loading is needed for GSSAPI
kevinAlbs Mar 22, 2024
2a79143
replace another "Cyrus-SASL" with "Cyrus SASL"
kevinAlbs Mar 22, 2024
8fd99c0
consistently refer to "plugin"
kevinAlbs Mar 22, 2024
583f7c6
clarify build configuration is for C driver
kevinAlbs Mar 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,11 @@ mongo_setting(
]]
)

mongo_setting(CYRUS_PLUGIN_PATH_PREFIX "A path prefix to enable loading Cyrus-SASL plug-ins on Windows"
TYPE STRING
VISIBLE_IF [["ENABLE_SASL = CYRUS AND WIN32"]]
)

mongo_setting(ENABLE_CLIENT_SIDE_ENCRYPTION "Enable In-Use Encryption support. Requires additional support libraries."
OPTIONS ON OFF AUTO
DEFAULT VALUE AUTO)
Expand Down
7 changes: 7 additions & 0 deletions NEWS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
libmongoc 1.26.2 (unreleased)
=============================

Fixes:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't believe this is a "fix". Suggest "Changes:" or "Cyrus SASL:" instead.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. Updated to "Cyrus SASL:".

Also replaced "Cyrus-SASL" and "cyrus-sasl" with "Cyrus SASL" to match naming in https://www.cyrusimap.org/sasl/


* Disable plug-in loading with Cyrus-SASL on Windows by default. To re-enable, set the CMake option `CYRUS_PLUGIN_PATH_PREFIX` to the path prefix of the Cyrus-SASL plug-ins.

libmongoc 1.26.1
================

Expand Down
2 changes: 2 additions & 0 deletions src/libmongoc/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -814,6 +814,8 @@ if (MONGOC_ENABLE_STATIC_BUILD)
set_target_properties (mcd_rpc PROPERTIES OUTPUT_NAME "mcd-rpc")
endif ()

set_source_files_properties (src/mongoc/mongoc-cyrus.c PROPERTIES COMPILE_DEFINITIONS MONGOC_CYRUS_PLUGIN_PATH_PREFIX="${CYRUS_PLUGIN_PATH_PREFIX}")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
set_source_files_properties (src/mongoc/mongoc-cyrus.c PROPERTIES COMPILE_DEFINITIONS MONGOC_CYRUS_PLUGIN_PATH_PREFIX="${CYRUS_PLUGIN_PATH_PREFIX}")
set_property(SOURCE ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cyrus.c APPEND PROPERTY COMPILE_DEFINITIONS "MONGOC_CYRUS_PLUGIN_PATH_PREFIX=${CYRUS_PLUGIN_PATH_PREFIX}")

Avoid overwriting any prior value(s) of COMPILE_DEFINITIONS.


if (ENABLE_SHARED)
add_library (mongoc_shared SHARED ${SOURCES} ${HEADERS} ${HEADERS_FORWARDING})
if(WIN32)
Expand Down
2 changes: 2 additions & 0 deletions src/libmongoc/src/mongoc/mongoc-cyrus-private.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ struct _mongoc_cyrus_t {
#define SASL_CALLBACK_FN(_f) ((int (*) (void)) ((void (*) (void)) (_f)))
#endif

int
_mongoc_cyrus_verifyfile_cb (void *context, const char *file, sasl_verify_type_t type);
void
_mongoc_cyrus_init (mongoc_cyrus_t *sasl);
bool
Expand Down
44 changes: 44 additions & 0 deletions src/libmongoc/src/mongoc/mongoc-cyrus.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,49 @@ _mongoc_cyrus_get_user (mongoc_cyrus_t *sasl, int param_id, const char **result,
return (sasl->credentials.user != NULL) ? SASL_OK : SASL_FAIL;
}

static const char *
sasl_verify_type_to_str (sasl_verify_type_t type)
{
switch (type) {
case SASL_VRFY_PLUGIN:
return "SASL_VRFY_PLUGIN";
case SASL_VRFY_CONF:
return "SASL_VRFY_CONF";
case SASL_VRFY_PASSWD:
return "SASL_VRFY_PASSWD";
case SASL_VRFY_OTHER:
return "SASL_VRFY_OTHER";
default:
return "Unknown";
}
}

int
_mongoc_cyrus_verifyfile_cb (void *context, const char *file, sasl_verify_type_t type)
{
TRACE ("Attempting to load file: `%s`. Type is %s\n", file, sasl_verify_type_to_str (type));

#ifdef _WIN32
// On Windows, Cyrus-SASL hard-codes the plugin path.
// Only permit loading plug-in from user configured path to prevent unintentional library loading.
if (type == SASL_VRFY_PLUGIN) {
const char *path_prefix = MONGOC_CYRUS_PLUGIN_PATH_PREFIX;
bool has_valid_prefix = (0 != strlen (path_prefix) && file == strstr (file, path_prefix));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommend using NULL instead of empty string to denote when CYRUS_PLUGIN_PATH_PREFIX is unset:

set_property(
   SOURCE ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cyrus.c
   APPEND PROPERTY COMPILE_DEFINITIONS
   "MONGOC_CYRUS_PLUGIN_PATH_PREFIX=$<IF:$<STREQUAL:${CYRUS_PLUGIN_PATH_PREFIX},>,NULL,${CYRUS_PLUGIN_PATH_PREFIX}>"
)
bool has_valid_prefix = (path_prefix && file == strstr (file, path_prefix));
// ...
MONGOC_WARNING (
   "... set CYRUS_PLUGIN_PATH_PREFIX (currently '%s') to ...",
   // ...
   path_prefix ? path_prefix : "(unset)"
);

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like that suggestion. Applied with the addition of escaped quotes in set_property: \"${MONGOC_CYRUS_PLUGIN_PATH_PREFIX}\".

// Check if `file` has necessary prefix.
if (has_valid_prefix) {
return SASL_OK;
}
MONGOC_WARNING ("Not loading Cyrus-SASL plugin: %s. If plugin is needed, set CMake option "
"`CYRUS_PLUGIN_PATH_PREFIX (currently '%s')` to a non-empty string contain the path prefix.",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
MONGOC_WARNING ("Not loading Cyrus-SASL plugin: %s. If plugin is needed, set CMake option "
"`CYRUS_PLUGIN_PATH_PREFIX (currently '%s')` to a non-empty string contain the path prefix.",
MONGOC_WARNING ("Refusing to load Cyrus-SASL plugin at: '%s'. If needed, set CYRUS_PLUGIN_PATH_PREFIX (currently "
"'%s') to the absolute path prefix during build configuration.",

Message phrasing suggestion.

file,
path_prefix);
return SASL_CONTINUE;
}
#endif

return SASL_OK;
}


void
_mongoc_cyrus_init (mongoc_cyrus_t *sasl)
Expand All @@ -134,6 +177,7 @@ _mongoc_cyrus_init (mongoc_cyrus_t *sasl)
{SASL_CB_USER, SASL_CALLBACK_FN (_mongoc_cyrus_get_user), sasl},
{SASL_CB_PASS, SASL_CALLBACK_FN (_mongoc_cyrus_get_pass), sasl},
{SASL_CB_CANON_USER, SASL_CALLBACK_FN (_mongoc_cyrus_canon_user), sasl},
{SASL_CB_VERIFYFILE, SASL_CALLBACK_FN (_mongoc_cyrus_verifyfile_cb), NULL},
{SASL_CB_LIST_END}};

BSON_ASSERT (sasl);
Expand Down
7 changes: 6 additions & 1 deletion src/libmongoc/src/mongoc/mongoc-init.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@

#ifdef MONGOC_ENABLE_SASL_CYRUS
#include <sasl/sasl.h>
#include <mongoc-cyrus-private.h> // _mongoc_cyrus_verifyfile_cb

static void *
mongoc_cyrus_mutex_alloc (void)
Expand Down Expand Up @@ -110,7 +111,11 @@ static BSON_ONCE_FUN (_mongoc_do_init)
sasl_set_mutex (
mongoc_cyrus_mutex_alloc, mongoc_cyrus_mutex_lock, mongoc_cyrus_mutex_unlock, mongoc_cyrus_mutex_free);

status = sasl_client_init (NULL);
sasl_callback_t callbacks[] = {// Include callback to disable loading plugins.
{SASL_CB_VERIFYFILE, SASL_CALLBACK_FN (_mongoc_cyrus_verifyfile_cb), NULL},
{SASL_CB_LIST_END}};

status = sasl_client_init (callbacks);
BSON_ASSERT (status == SASL_OK);
#endif

Expand Down