From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from elastic.org (elastic.org [96.126.110.187]) by sourceware.org (Postfix) with ESMTPS id B55693858D28 for ; Tue, 10 Oct 2023 20:37:47 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B55693858D28 Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=elastic.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=elastic.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elastic.org ; s=default2; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date: Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9HORBrL/RgxOCwrqE8ZnVrWNrECLr+6wgOhej7mrEa4=; b=YnaAx1t6hIKiRQva/HdvWnoDPN cMwxD46xOG0KttNl5EDkIauB9Q1fJMiV3n3dh9Nbl/1w+1rPlpo2Xv+m9ROPWvoYoc+06tTt98ZKZ 96lgXERwL6TV/K8qbS0jpJOmsqlTWctKza9/LnKX2tdicJ1TCvTqxEqGpn5LMDgEWVS3aOj4npsdz /3epjMETA3/Yk+9iGg1iEuLLW8vcgQfwfJRExsEXG/4pga0qCs26VApJjK/xXtl3ovvTDCaqqOqgi Z2KjP6fBxphuoaQJFk/npH76vfBjej+Feva0cHtIv2/1SCI+xLzJUpEMvA57odct3wr8XwTXYZgeX nAebKqbg==; Received: from vpn-home.elastic.org ([10.0.0.2] helo=elastic.org) by elastic.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.1) (envelope-from ) id 1qqJUB-0000yM-09 for elfutils-devel@sourceware.org; Tue, 10 Oct 2023 20:37:47 +0000 Received: from very.elastic.org ([192.168.1.1]) by elastic.org with esmtp (Exim 4.96) (envelope-from ) id 1qqJUA-000UkD-2A for elfutils-devel@sourceware.org; Tue, 10 Oct 2023 16:37:46 -0400 Received: from fche by very.elastic.org with local (Exim 4.96.1) (envelope-from ) id 1qqJUA-00EF8W-1y for elfutils-devel@sourceware.org; Tue, 10 Oct 2023 16:37:46 -0400 Date: Tue, 10 Oct 2023 16:37:46 -0400 From: "Frank Ch. Eigler" To: elfutils-devel@sourceware.org Subject: PATCH PR30962, debuginfod Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Sender-Verification: "" X-Spam-Status: No, score=-105.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,KAM_BADIPHTTP,NUMERIC_HTTP_ADDR,SPF_HELO_PASS,SPF_PASS,TXREP,USER_IN_WELCOMELIST,USER_IN_WHITELIST autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: commit e967988e419121cad1d7f40013a316059b1173f0 Author: Frank Ch. Eigler Date: Tue Oct 10 16:21:00 2023 -0400 PR30962: debuginfod: full paths for X-DEBUGINFOD-FILE/ARCHIVE response headers Previous code was inconsistent in offering basename versus full pathname for these headers. The documentation was not explicit on this issue. We now simplify by always passing full names back, and document this in the debuginfod.8 man page, along with pointers to how to use proxy front-end servers to strip them if needed. Signed-Off-By: Frank Ch. Eigler diff --git a/debuginfod/debuginfod.cxx b/debuginfod/debuginfod.cxx index e53228803bb0..c11aeda1a3af 100644 --- a/debuginfod/debuginfod.cxx +++ b/debuginfod/debuginfod.cxx @@ -1876,11 +1876,10 @@ handle_buildid_f_match (bool internal_req_t, } else { - std::string file = b_source0.substr(b_source0.find_last_of("/")+1, b_source0.length()); add_mhd_response_header (r, "Content-Type", "application/octet-stream"); add_mhd_response_header (r, "X-DEBUGINFOD-SIZE", to_string(s.st_size).c_str()); - add_mhd_response_header (r, "X-DEBUGINFOD-FILE", file.c_str()); + add_mhd_response_header (r, "X-DEBUGINFOD-FILE", b_source0.c_str()); add_mhd_last_modified (r, s.st_mtime); if (verbose > 1) obatched(clog) << "serving file " << b_source0 << " section=" << section << endl; @@ -2164,14 +2163,12 @@ handle_buildid_r_match (bool internal_req_p, } else { - std::string file = b_source1.substr(b_source1.find_last_of("/")+1, b_source1.length()); add_mhd_response_header (r, "Content-Type", "application/octet-stream"); add_mhd_response_header (r, "X-DEBUGINFOD-SIZE", to_string(archive_entry_size(e)).c_str()); - add_mhd_response_header (r, "X-DEBUGINFOD-ARCHIVE", - b_source0.c_str()); - add_mhd_response_header (r, "X-DEBUGINFOD-FILE", file.c_str()); + add_mhd_response_header (r, "X-DEBUGINFOD-ARCHIVE", b_source0.c_str()); + add_mhd_response_header (r, "X-DEBUGINFOD-FILE", b_source1.c_str()); add_mhd_last_modified (r, archive_entry_mtime(e)); if (verbose > 1) obatched(clog) << "serving archive " << b_source0 diff --git a/doc/debuginfod.8 b/doc/debuginfod.8 index d4316bec8175..7003a5823d34 100644 --- a/doc/debuginfod.8 +++ b/doc/debuginfod.8 @@ -307,11 +307,11 @@ can take advantage of standard HTTP management infrastructure. Upon finding a file in an archive or simply in the database, some custom http headers are added to the response. For files in the database X-DEBUGINFOD-FILE and X-DEBUGINFOD-SIZE are added. -X-DEBUGINFOD-FILE is simply the unescaped filename and +X-DEBUGINFOD-FILE is simply the full path name and X-DEBUGINFOD-SIZE is the size of the file. For files found in archives, in addition to X-DEBUGINFOD-FILE and X-DEBUGINFOD-SIZE, -X-DEBUGINFOD-ARCHIVE is added. X-DEBUGINFOD-ARCHIVE is the name of the -archive the file was found in. +X-DEBUGINFOD-ARCHIVE is added. X-DEBUGINFOD-ARCHIVE is the full path +name of the archive the file was found in. There are three requests. In each case, the buildid is encoded as a lowercase hexadecimal string. For example, for a program \fI/bin/ls\fP, @@ -485,8 +485,9 @@ a denial-of-service in terms of RAM, CPU, disk I/O, or network I/O. If this is a problem, users are advised to install debuginfod with a HTTPS reverse-proxy front-end that enforces site policies for firewalling, authentication, integrity, authorization, and load -control. The \fI/metrics\fP webapi endpoint is probably not -appropriate for disclosure to the public. +control. Front-end proxies can also elide sensitive path name +components in X-DEBUGINFOD-FILE/ARCHIVE response headers, +for example using Apache httpd's \fBmod_header\fP "Header edit". When relaying queries to upstream debuginfods, debuginfod \fBdoes not\fP include any particular security features. It trusts that the binaries diff --git a/tests/run-debuginfod-response-headers.sh b/tests/run-debuginfod-response-headers.sh index 8cb7b843d19d..fbb6a4842fa4 100755 --- a/tests/run-debuginfod-response-headers.sh +++ b/tests/run-debuginfod-response-headers.sh @@ -78,8 +78,8 @@ tempfiles vlog-find$PORT1.1 errfiles vlog-find$PORT1.1 cat vlog-find$PORT1.1 grep 'Headers:' vlog-find$PORT1.1 -grep -i 'X-DEBUGINFOD-FILE: prog' vlog-find$PORT1.1 -grep -i 'X-DEBUGINFOD-SIZE: ' vlog-find$PORT1.1 +grep -i 'X-DEBUGINFOD-FILE: .*/prog' vlog-find$PORT1.1 +grep -i 'X-DEBUGINFOD-SIZE: ' vlog-find$PORT1.1 # Check to see if an executable file located in an archive prints the file's description and archive env DEBUGINFOD_URLS="http://127.0.0.1:"$PORT1 LD_LIBRARY_PATH=$ldpath ${abs_top_builddir}/debuginfod/debuginfod-find\ @@ -88,9 +88,9 @@ tempfiles vlog-find$PORT1.2 errfiles vlog-find$PORT1.2 cat vlog-find$PORT1.2 grep 'Headers:' vlog-find$PORT1.2 -grep -i 'X-DEBUGINFOD-FILE: ' vlog-find$PORT1.2 +grep -i 'X-DEBUGINFOD-FILE: .*/.*' vlog-find$PORT1.2 grep -i 'X-DEBUGINFOD-SIZE: ' vlog-find$PORT1.2 -grep -i 'X-DEBUGINFOD-ARCHIVE: ' vlog-find$PORT1.2 +grep -i 'X-DEBUGINFOD-ARCHIVE: .*/.*' vlog-find$PORT1.2 # Check that X-DEBUGINFOD-SIZE matches the size of each file for file in vlog-find$PORT1.1 vlog-find$PORT1.2