From 6b3e132bfaf9a606fe6267b79163099c02146473 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 29 Nov 2022 14:14:32 +0100 Subject: [PATCH 54/54] CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports This allows the tests to be executed without an explicit PYTHONPATH="bin/python". BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184 (similar to commit 987cba90573f955fe9c781830daec85ad4d5bf92) Conflict: NA Reference: https://attachments.samba.org/attachment.cgi?id=17695 --- python/samba/tests/krb5/alias_tests.py | 6 +++--- python/samba/tests/krb5/as_canonicalization_tests.py | 5 +++-- python/samba/tests/krb5/etype_tests.py | 8 +++++--- python/samba/tests/krb5/fast_tests.py | 11 ++++++----- python/samba/tests/krb5/kdc_base_test.py | 7 ++++--- python/samba/tests/krb5/kpasswd_tests.py | 8 ++++---- python/samba/tests/krb5/lockout_tests.py | 11 ++++++----- python/samba/tests/krb5/nt_hash_tests.py | 8 ++++---- python/samba/tests/krb5/pac_align_tests.py | 6 +++--- python/samba/tests/krb5/protected_users_tests.py | 8 ++++---- python/samba/tests/krb5/rodc_tests.py | 4 ++-- python/samba/tests/krb5/s4u_tests.py | 3 ++- python/samba/tests/krb5/salt_tests.py | 6 +++--- python/samba/tests/krb5/spn_tests.py | 8 ++++---- python/samba/tests/krb5/test_ccache.py | 6 +++--- python/samba/tests/krb5/test_idmap_nss.py | 6 +++--- python/samba/tests/krb5/test_ldap.py | 6 +++--- python/samba/tests/krb5/test_min_domain_uid.py | 7 ++++--- python/samba/tests/krb5/test_rpc.py | 6 +++--- python/samba/tests/krb5/test_smb.py | 6 +++--- 20 files changed, 72 insertions(+), 64 deletions(-) diff --git a/python/samba/tests/krb5/alias_tests.py b/python/samba/tests/krb5/alias_tests.py index 1f63775c189c..3ddfe4ecc753 100755 --- a/python/samba/tests/krb5/alias_tests.py +++ b/python/samba/tests/krb5/alias_tests.py @@ -20,6 +20,9 @@ import sys import os +sys.path.insert(0, 'bin/python') +os.environ['PYTHONUNBUFFERED'] = '1' + import ldb from samba.tests import delete_force @@ -32,9 +35,6 @@ from samba.tests.krb5.rfc4120_constants import ( NT_PRINCIPAL, ) -sys.path.insert(0, 'bin/python') -os.environ['PYTHONUNBUFFERED'] = '1' - global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 700a03622e1d..22ea14d35752 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -19,12 +19,13 @@ import sys import os -from enum import Enum, unique -import pyasn1 sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" +from enum import Enum, unique +import pyasn1 + from samba.tests.krb5.kdc_base_test import KDCBaseTest import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.credentials import DONT_USE_KERBEROS diff --git a/python/samba/tests/krb5/etype_tests.py b/python/samba/tests/krb5/etype_tests.py index 9725d544c2ac..46ccc70f07df 100755 --- a/python/samba/tests/krb5/etype_tests.py +++ b/python/samba/tests/krb5/etype_tests.py @@ -17,10 +17,14 @@ # along with this program. If not, see . # -import itertools import sys import os +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +import itertools + from samba.dcerpc import security from samba.tests import DynamicTestCase @@ -34,8 +38,6 @@ from samba.tests.krb5.rfc4120_constants import ( ) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 -sys.path.insert(0, "bin/python") -os.environ["PYTHONUNBUFFERED"] = "1" global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index 7e69d6c83df5..52c0aa1d84af 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -17,9 +17,13 @@ # along with this program. If not, see . # -import functools -import os import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +import functools import collections import ldb @@ -58,9 +62,6 @@ from samba.tests.krb5.rfc4120_constants import ( import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 import samba.tests.krb5.kcrypto as kcrypto -sys.path.insert(0, "bin/python") -os.environ["PYTHONUNBUFFERED"] = "1" - global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 46271a90bcf4..127de665fd57 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -18,6 +18,10 @@ import sys import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + from datetime import datetime, timezone import tempfile import binascii @@ -95,9 +99,6 @@ from samba.tests.krb5.rfc4120_constants import ( PADATA_ETYPE_INFO2, ) -sys.path.insert(0, "bin/python") -os.environ["PYTHONUNBUFFERED"] = "1" - global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/kpasswd_tests.py b/python/samba/tests/krb5/kpasswd_tests.py index 0db857f7bbd1..014bd10aebd0 100755 --- a/python/samba/tests/krb5/kpasswd_tests.py +++ b/python/samba/tests/krb5/kpasswd_tests.py @@ -17,8 +17,11 @@ # along with this program. If not, see . # -import os import sys +import os + +sys.path.insert(0, 'bin/python') +os.environ['PYTHONUNBUFFERED'] = '1' from functools import partial @@ -41,9 +44,6 @@ from samba.tests.krb5.rfc4120_constants import ( NT_SRV_INST, ) -sys.path.insert(0, 'bin/python') -os.environ['PYTHONUNBUFFERED'] = '1' - global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/lockout_tests.py b/python/samba/tests/krb5/lockout_tests.py index e49e82a4bd5f..1e3330b0a42b 100755 --- a/python/samba/tests/krb5/lockout_tests.py +++ b/python/samba/tests/krb5/lockout_tests.py @@ -17,12 +17,16 @@ # along with this program. If not, see . # +import sys +import os + +sys.path.insert(0, 'bin/python') +os.environ['PYTHONUNBUFFERED'] = '1' + from concurrent import futures from enum import Enum from functools import partial from multiprocessing import Pipe -import os -import sys import time from cryptography.hazmat.backends import default_backend @@ -66,9 +70,6 @@ from samba.tests.krb5.rfc4120_constants import ( NT_SRV_INST, ) -sys.path.insert(0, 'bin/python') -os.environ['PYTHONUNBUFFERED'] = '1' - global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/nt_hash_tests.py b/python/samba/tests/krb5/nt_hash_tests.py index e64a874b0800..f2cd14887f85 100755 --- a/python/samba/tests/krb5/nt_hash_tests.py +++ b/python/samba/tests/krb5/nt_hash_tests.py @@ -16,8 +16,11 @@ # along with this program. If not, see . # -import os import sys +import os + +sys.path.insert(0, 'bin/python') +os.environ['PYTHONUNBUFFERED'] = '1' import ldb @@ -26,9 +29,6 @@ from samba.dcerpc import drsuapi, misc from samba.tests.krb5.kdc_base_test import KDCBaseTest -sys.path.insert(0, 'bin/python') -os.environ['PYTHONUNBUFFERED'] = '1' - global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/pac_align_tests.py b/python/samba/tests/krb5/pac_align_tests.py index ff8b608dde14..ae6359648e92 100755 --- a/python/samba/tests/krb5/pac_align_tests.py +++ b/python/samba/tests/krb5/pac_align_tests.py @@ -19,14 +19,14 @@ import sys import os +sys.path.insert(0, 'bin/python') +os.environ['PYTHONUNBUFFERED'] = '1' + from samba.dcerpc import krb5pac from samba.ndr import ndr_unpack from samba.tests import DynamicTestCase from samba.tests.krb5.kdc_base_test import KDCBaseTest -sys.path.insert(0, 'bin/python') -os.environ['PYTHONUNBUFFERED'] = '1' - global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/protected_users_tests.py b/python/samba/tests/krb5/protected_users_tests.py index 02d7356bb7dc..1c899a15a5ff 100755 --- a/python/samba/tests/krb5/protected_users_tests.py +++ b/python/samba/tests/krb5/protected_users_tests.py @@ -16,8 +16,11 @@ # along with this program. If not, see . # -import os import sys +import os + +sys.path.insert(0, 'bin/python') +os.environ['PYTHONUNBUFFERED'] = '1' from functools import partial @@ -47,9 +50,6 @@ from samba.tests.krb5.rfc4120_constants import ( ) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 -sys.path.insert(0, 'bin/python') -os.environ['PYTHONUNBUFFERED'] = '1' - global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/rodc_tests.py b/python/samba/tests/krb5/rodc_tests.py index 3e0e2a7712e6..71ef603f49a6 100755 --- a/python/samba/tests/krb5/rodc_tests.py +++ b/python/samba/tests/krb5/rodc_tests.py @@ -19,11 +19,11 @@ import sys import os -from samba.tests.krb5.kdc_base_test import KDCBaseTest - sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" +from samba.tests.krb5.kdc_base_test import KDCBaseTest + global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index 97d07682ffe3..5b7aee8020d5 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -18,11 +18,12 @@ import sys import os -import functools sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" +import functools + from samba import dsdb, ntstatus from samba.dcerpc import krb5pac, lsa, security diff --git a/python/samba/tests/krb5/salt_tests.py b/python/samba/tests/krb5/salt_tests.py index db777f8b7bc0..b9e82f984b3a 100755 --- a/python/samba/tests/krb5/salt_tests.py +++ b/python/samba/tests/krb5/salt_tests.py @@ -19,14 +19,14 @@ import sys import os +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + import ldb from samba.tests.krb5.as_req_tests import AsReqBaseTest import samba.tests.krb5.kcrypto as kcrypto -sys.path.insert(0, "bin/python") -os.environ["PYTHONUNBUFFERED"] = "1" - global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/spn_tests.py b/python/samba/tests/krb5/spn_tests.py index 62d2ea081bca..f4f20bea4f2f 100755 --- a/python/samba/tests/krb5/spn_tests.py +++ b/python/samba/tests/krb5/spn_tests.py @@ -17,8 +17,11 @@ # along with this program. If not, see . # -import os import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests import DynamicTestCase @@ -33,9 +36,6 @@ from samba.tests.krb5.rfc4120_constants import ( NT_PRINCIPAL, ) -sys.path.insert(0, "bin/python") -os.environ["PYTHONUNBUFFERED"] = "1" - global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/test_ccache.py b/python/samba/tests/krb5/test_ccache.py index 75038ea5cc15..6413bfa21150 100755 --- a/python/samba/tests/krb5/test_ccache.py +++ b/python/samba/tests/krb5/test_ccache.py @@ -20,6 +20,9 @@ import sys import os +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + import ldb from ldb import SCOPE_SUBTREE @@ -31,9 +34,6 @@ from samba.ntstatus import NT_STATUS_NO_IMPERSONATION_TOKEN from samba.tests.krb5.kdc_base_test import KDCBaseTest -sys.path.insert(0, "bin/python") -os.environ["PYTHONUNBUFFERED"] = "1" - global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/test_idmap_nss.py b/python/samba/tests/krb5/test_idmap_nss.py index d3480dbca3f7..1ee020122b95 100755 --- a/python/samba/tests/krb5/test_idmap_nss.py +++ b/python/samba/tests/krb5/test_idmap_nss.py @@ -20,6 +20,9 @@ import sys import os +sys.path.insert(0, 'bin/python') +os.environ['PYTHONUNBUFFERED'] = '1' + from ldb import SCOPE_SUBTREE from samba import NTSTATUSError from samba.credentials import DONT_USE_KERBEROS @@ -34,9 +37,6 @@ from samba.samba3 import param as s3param from samba.tests.krb5.kdc_base_test import KDCBaseTest -sys.path.insert(0, 'bin/python') -os.environ['PYTHONUNBUFFERED'] = '1' - global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/test_ldap.py b/python/samba/tests/krb5/test_ldap.py index c1375730e6fb..eaf79e7fa01d 100755 --- a/python/samba/tests/krb5/test_ldap.py +++ b/python/samba/tests/krb5/test_ldap.py @@ -20,6 +20,9 @@ import sys import os +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + import ldb from ldb import LdbError, ERR_OPERATIONS_ERROR, SCOPE_BASE, SCOPE_SUBTREE @@ -30,9 +33,6 @@ from samba import credentials from samba.tests.krb5.kdc_base_test import KDCBaseTest -sys.path.insert(0, "bin/python") -os.environ["PYTHONUNBUFFERED"] = "1" - global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/test_min_domain_uid.py b/python/samba/tests/krb5/test_min_domain_uid.py index 77414b239f08..7c7942c6cbee 100755 --- a/python/samba/tests/krb5/test_min_domain_uid.py +++ b/python/samba/tests/krb5/test_min_domain_uid.py @@ -18,6 +18,10 @@ import sys import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + import pwd import ctypes @@ -29,9 +33,6 @@ from samba import NTSTATUSError, ntstatus from samba.tests.krb5.kdc_base_test import KDCBaseTest from samba.credentials import MUST_USE_KERBEROS, DONT_USE_KERBEROS -sys.path.insert(0, "bin/python") -os.environ["PYTHONUNBUFFERED"] = "1" - class SmbMinDomainUid(KDCBaseTest): """Test for SMB authorization without NSS winbind. In such setup domain accounts are mapped to local accounts using the 'username map' option. diff --git a/python/samba/tests/krb5/test_rpc.py b/python/samba/tests/krb5/test_rpc.py index 5a3c7339ceaa..6faf2a060632 100755 --- a/python/samba/tests/krb5/test_rpc.py +++ b/python/samba/tests/krb5/test_rpc.py @@ -20,6 +20,9 @@ import sys import os +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + import ldb from samba import NTSTATUSError, credentials @@ -31,9 +34,6 @@ from samba.ntstatus import ( from samba.tests.krb5.kdc_base_test import KDCBaseTest -sys.path.insert(0, "bin/python") -os.environ["PYTHONUNBUFFERED"] = "1" - global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/test_smb.py b/python/samba/tests/krb5/test_smb.py index 47e9e48c971d..f0a82a432291 100755 --- a/python/samba/tests/krb5/test_smb.py +++ b/python/samba/tests/krb5/test_smb.py @@ -20,6 +20,9 @@ import sys import os +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + import ldb from ldb import SCOPE_SUBTREE @@ -32,9 +35,6 @@ from samba.samba3 import param as s3param from samba.tests.krb5.kdc_base_test import KDCBaseTest -sys.path.insert(0, "bin/python") -os.environ["PYTHONUNBUFFERED"] = "1" - global_asn1_print = False global_hexdump = False -- 2.34.1